%20(1).jpg)
CISA Admin Leaked AWS GovCloud Keys on GitHub
.webp "CISA Admin Leaked AWS GovCloud Keys on GitHub")
CISA Admin Leaked AWS GovCloud Keys on GitHub — What Happened and Why It Matters
The agency responsible for protecting America's digital infrastructure just found itself at the center of one of the most embarrassing government data leaks in recent memory. A contractor working for the Cybersecurity and Infrastructure Security Agency (CISA) accidentally published the agency's most sensitive cloud credentials — including AWS GovCloud admin keys and dozens of plaintext passwords — to a public GitHub repository that stayed visible for six months.
This was not a sophisticated hack. No nation-state attacker was needed. No zero-day exploit was used. A single contractor treated a public code repository like a personal file-sync folder — and switched off the platform's built-in safety net in the process.
This guide covers exactly what was exposed, how it was discovered, why it is so dangerous, and what it means for government cybersecurity in 2026.
What Happened
A contractor employed by Nightwing — a government services firm based in Dulles, Virginia — created a public GitHub repository titled "Private-CISA." The repository contained administrative credentials to three Amazon AWS GovCloud servers, dozens of plaintext usernames and passwords for internal CISA systems, Kubernetes configuration files, Artifactory access credentials, and sensitive DevSecOps environment details.
The repository was created on November 13, 2025. It was not taken down until mid-May 2026 — a window of roughly six months during which anyone on the internet could have accessed it.
Making it worse: the commit logs showed that the contractor had deliberately disabled GitHub's built-in secret-detection feature — the tool specifically designed to prevent exactly this kind of exposure.
How It Was Discovered
Guillaume Valadon, a researcher at GitGuardian — a company that continuously scans public code repositories for exposed secrets — flagged the exposure on May 15, 2026. GitGuardian's automated system had already tried to alert the account owner, but received no response. The material's extreme sensitivity prompted Valadon to escalate directly.
Philippe Caturegli, founder of security consultancy Seralys, independently verified that the exposed AWS keys could authenticate to CISA's cloud accounts at a high privilege level. He tested the keys only to confirm they were real and to understand which systems they could access.
What Was Exposed
The "Private-CISA" repository contained a large number of highly sensitive files. Here is what researchers found inside it.
| File Name | What It Contained |
|---|---|
| importantAWStokens.txt | Admin credentials to 3 high-privilege AWS GovCloud accounts |
| AWS-Workspace-Firefox-Passwords.csv | Plaintext usernames and passwords for dozens of internal CISA systems |
| kube-config.txt | Kubernetes configuration — access to container infrastructure |
| Artifactory credentials | Access to CISA's internal software package repository used in every build |
| LZ-DSO config | Landing Zone DevSecOps environment — CISA's secure code development setup |
| Browser bookmark exports | Internal tool URLs and AWS workspace links |
Why This Is So Dangerous
The AWS key exposure alone would be serious enough. But Caturegli highlighted the Artifactory access as particularly alarming. Artifactory is CISA's internal software package repository — every piece of software the agency builds pulls packages from it. An attacker with access to Artifactory could silently insert malicious code into those packages. Every new build, every new deployment, would then automatically carry the attacker's backdoor.
"Backdoor some software packages, and every time they build something new they deploy your backdoor left and right. That would be a prime place to move laterally," Caturegli said.
This is a textbook software supply chain attack — the same category of attack used in major incidents like the SolarWinds breach. The only difference here is that the attacker would not even need to break in. The keys were sitting in public.
On top of that, the passwords in the repository followed a dangerously predictable pattern — the name of the platform followed by the current year. Security professionals call this one of the first things attackers try after gaining any foothold on a network.
The 48-Hour Problem
Even after the GitHub repository was taken offline, the exposed AWS credentials were not immediately revoked. They remained valid and fully usable for a further 48 hours after the repository's removal. Any attacker who had already copied the keys during the six-month window could have continued accessing CISA's cloud infrastructure long after the public exposure was closed.
This is a critical failure in incident response. The first step when credentials are exposed is to revoke them immediately — not days later.
What Valadon Said
"Passwords stored in plain text in a CSV, backups in Git, explicit commands to disable GitHub's secrets detection feature. I honestly believed it was all fake before analyzing the content deeper. This is the worst leak I have witnessed in my career. It is obviously an individual's mistake, but I believe it might reveal internal practices."
— Guillaume Valadon, GitGuardian
Why the Contractor Did This
Caturegli's analysis of the GitHub account suggests the contractor was using the repository as a makeshift sync tool — a way to move files between a work laptop and a home computer. The account used both a CISA-associated email address and a personal email, and had been receiving regular commits since November 2025.
This was not a one-time mistake. It was a sustained, recurring practice that went undetected for half a year.
"What I suspect happened is the CISA contractor was using this GitHub to synchronize files between a work laptop and a home computer, because he has regularly committed to this repo since November 2025. This would be an embarrassing leak for any company, but it's even more so in this case because it's CISA," Caturegli said.
CISA's Official Response
CISA issued the following statement in response to questions: "Currently, there is no indication that any sensitive data was compromised as a result of this incident. While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences."
The agency has not confirmed how long it was unaware of the exposure, whether any unauthorized access occurred during the six-month window, or why the AWS credentials were not revoked immediately upon discovery. Nightwing declined to comment and directed all inquiries to CISA.
What You Can and Cannot Do With Exposed Credentials
| Action | Status |
|---|---|
| Authenticate to AWS GovCloud at the admin level | Yes — keys were verified as valid |
| Access internal CISA systems using leaked passwords | Yes — dozens of systems exposed |
| Insert backdoors via Artifactory packages | Yes — Artifactory credentials were included |
| Move laterally inside the CISA infrastructure | Yes — Kubernetes config included |
| Access the repo after it was taken down | No, but AWS keys still worked for 48 more hours |
The Bigger Picture
CISA is the same agency that publishes advisories warning government departments and private companies about credential hygiene, secrets management, and supply chain security. The agency exists specifically to prevent this kind of breach across U.S. infrastructure.
The irony could not be more stark. CISA did not get hacked by a sophisticated adversary. It was undone by one contractor using a public repository as a file-sync tool while actively disabling the platform's safety net. Six months. Fully open. Anyone could have taken those keys.
Frequently Asked Questions: CISA AWS GovCloud Key Leak
Q1. What exactly did the CISA contractor leak?
The contractor leaked AWS GovCloud admin credentials, plaintext usernames and passwords for dozens of CISA internal systems, Kubernetes configuration files, Artifactory access keys, and browser bookmark exports — all inside a public GitHub repository titled "Private-CISA."
Q2. How long was the data publicly exposed?
The repository was created on November 13, 2025, and was not taken down until mid-May 2026 — approximately six months of open public access. The exposed AWS keys remained valid for a further 48 hours after the repository was removed.
Q3. Was any data actually stolen?
CISA stated there is currently no indication that sensitive data was compromised. However, the agency has not confirmed whether any unauthorized access occurred during the six-month window or in the 48 hours after the delayed key revocation.
Q4. Who discovered the leak?
Guillaume Valadon, a researcher at GitGuardian, discovered the exposure. GitGuardian's automated scanning system flagged the credentials and attempted to alert the account owner, but received no response. Valadon then escalated it directly.
Q5. Why was the Artifactory leak so dangerous?
Artifactory is CISA's central software package repository. Every piece of software the agency builds pulls packages from it. An attacker with access could insert malicious code into those packages, meaning every new CISA build would automatically deploy their backdoor across the agency's systems.
Q6. Who was the contractor and which company do they work for?
The contractor was employed by Nightwing, a government services firm headquartered in Dulles, Virginia. Nightwing declined to comment and directed all inquiries to CISA.
Q7. Could this happen again?
Yes — unless organizations enforce strict secrets management policies, regularly audit contractor access, and ensure secret-scanning tools are never disabled. The pattern seen here — using a public repo as a sync tool — is more common than most people realize.
The Bottom Line
The CISA AWS GovCloud key leak is a powerful reminder that cybersecurity failures are very often human failures. No amount of advanced threat detection helps if a contractor disables the basic safety net and uses a public code repository as a personal file-sharing folder.
For anyone managing code repositories — even personal ones — the lesson is clear: never store credentials, API keys, tokens, or passwords in any Git repository. Enable secret scanning. Revoke exposed credentials immediately. And never use platform names plus years as your passwords.
For an agency whose entire mission is to protect U.S. digital infrastructure from exactly this kind of exposure, the embarrassment could not run deeper.
