CISA Admin Leaked AWS GovCloud Keys on Github

CISA Admin Leaked AWS GovCloud Keys on Github: A Devastating Data Breach

The Cybersecurity & Infrastructure Security Agency (CISA) has been rocked by a devastating data breach, with a contractor exposing sensitive AWS GovCloud keys and internal CISA systems credentials on a public GitHub repository. The breach, which was reported by KrebsOnSecurity and security consultancy Seralys, represents one of the most egregious government data leaks in recent history.

The Breach: A Textbook Example of Poor Security Hygiene

The GitHub repository, named "Private-CISA," was maintained by a CISA contractor and harbored a vast number of internal CISA/DHS credentials and files, including cloud keys, tokens, plaintext passwords, logs, and other sensitive CISA assets. The exposed CISA credentials represent a textbook example of poor security hygiene, with the contractor disabling the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories.

"Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature," wrote Guillaume Valadon, a researcher with the security firm GitGuardian, in an email. "I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I've witnessed in my career. It is obviously an individual's mistake, but I believe that it might reveal internal practices."

The Exposed Files: A Treasure Trove of Sensitive Information

The "Private CISA" repository exposed dozens of plaintext credentials for important CISA GovCloud resources, including administrative credentials to three Amazon AWS GovCloud servers. Another file, titled "AWS-Workspace-Firefox-Passwords.csv," listed plaintext usernames and passwords for dozens of internal CISA systems. According to Philippe Caturegli, founder of Seralys, those systems included one called "LZ-DSO," which appears short for "Landing Zone DevSecOps," the agency's secure code development environment.

The Implications: A Prime Target for Malicious Attackers

The exposed credentials could authenticate to three AWS GovCloud accounts at a high privilege level, and the archive also includes plain text credentials to CISA's internal "artifactory" – essentially a repository of all the code packages they are using to build software. This would represent a juicy target for malicious attackers looking for ways to maintain a persistent foothold in CISA systems.

"That would be a prime place to move laterally," said Caturegli. "Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right."

The Response: A CISA Spokesperson's Statement

In response to questions, a spokesperson for CISA said the agency is aware of the reported exposure and is continuing to investigate the situation.

"Currently, there is no indication that any sensitive data was compromised as a result of this incident," the CISA spokesperson wrote. "While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences."

The Contractor's Account: A Review of the GitHub Repository

A review of the GitHub account and its exposed passwords show the "Private CISA" repository was maintained by an employee of Nightwing, a government contractor based in Dulles, Va. Nightwing declined to comment, directing inquiries to CISA.

The Duration of the Data Exposure: A Question Mark

CISA has not responded to questions about the potential duration of the data exposure, but Caturegli said the Private CISA repository was created on November 13, 2025. The contractor's GitHub account was created back in September 2018.

The GitHub Account's Status: Offline

The GitHub account that included the Private CISA repo was taken offline shortly after both KrebsOnSecurity and Seralys notified CISA about the exposure. But Caturegli said the exposed AWS keys inexplicably continued to remain valid for another 48 hours.

The Implications for CISA: A Fraction of Its Normal Budget and Staffing Levels

CISA is currently operating with only a fraction of its normal budget and staffing levels. The agency has lost nearly a third of its workforce since the beginning of the second Trump administration, which forced a series of early retirements, buyouts, and resignations across the agency's various divisions.

The Contractor's Practices: A Serious Security Threat

The now-defunct Private CISA repo showed the contractor also used easily-guessed passwords for a number of internal resources; for example, many of the credentials used a password consisting of each platform's name followed by the current year. Caturegli said such practices would constitute a serious security threat for any organization even if those credentials were never exposed externally, noting that threat actors often use key credentials exposed on the internal network to expand their reach after establishing initial access to a targeted system.

Conclusion: A Devastating Data Breach with Far-Reaching Implications

The CISA admin leaked AWS GovCloud keys on GitHub, exposing sensitive information and representing one of the most egregious government data leaks in recent history. The breach highlights the importance of proper security hygiene and the need for organizations to take proactive measures to prevent such incidents. As CISA continues to investigate the situation, it is clear that the implications of this breach will be far-reaching and have significant consequences for the agency and the government as a whole.

Source: https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/