CISA Contractor Exposes Sensitive AWS Credentials on Public GitHub

CISA Contractor Exposes Sensitive AWS Credentials on Public GitHub

First seen 19 May 2026, 09:19 UTC Feeds.FeedburnerGbhackersBlog.GitguardianCybersecuritynewsTechnadu+35 89% similarity 69.0

Article Content

Browse articles
ThreatCluster

A contractor for the U.S. Cybersecurity and Infrastructure Security Agency (CISA) left a public GitHub repository named 'Private-CISA' exposed for six months, containing sensitive credentials including AWS GovCloud access keys and internal CISA system passwords. Discovered by GitGuardian researcher Guillaume Valadon on May 14, 2026, the repository included files such as 'importantAWStokens' and 'AWS-Workspace-Firefox-Passwords.csv', which detailed access to critical infrastructure. The repository was created on November 13, 2025, and remained accessible until it was taken down on May 15, 2026, after Valadon alerted CISA. Despite the quick response, some credentials remained valid for an additional 48 hours, raising concerns about potential exploitation. CISA has stated there is currently no evidence that sensitive data was compromised as a result of the incident. The leak highlights significant lapses in security practices, especially given CISA's role in advising on cybersecurity.

Key Points: • A public GitHub repository exposed sensitive AWS GovCloud credentials for six months. • The repository contained plaintext passwords and access tokens for multiple internal CISA systems. • CISA has confirmed no evidence of data compromise, but some credentials remained valid for 48 hours post-disclosure.

ThreatCluster AI

Timeline

2025-03-15
CVE-2025-30066 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2025-11-13
Private-CISA repository created
A GitHub repository named 'Private-CISA' was created by a CISA contractor, containing sensitive information.
Csoonline
2026-05-14
Repository discovered by GitGuardian
Guillaume Valadon of GitGuardian found the exposed repository and alerted CISA.
Csoonline
2026-05-15
CISA takes down repository
CISA took down the exposed repository within 26 hours of being notified by Valadon.
Techcrunch
2026-05-15
Exposed credentials remained valid
Some AWS keys remained valid for 48 hours after the repository was taken down, raising security concerns.
Techcrunch
2026-05-19
CISA confirms no data compromise
CISA stated there is currently no indication that any sensitive data was compromised as a result of the incident.
Csoonline

Community

Browse all →