A contractor for the Cybersecurity and Infrastructure Security Agency (CISA) exposed credentials to multiple highly privileged AWS GovCloud accounts and a wide swath of internal CISA systems through a public GitHub repository named "Private-CISA." The exposure was flagged to KrebsOnSecurity on May 15 by GitGuardian researcher Guillaume Valadon, who described it as the worst leak he has seen in his career. Philippe Caturegli of Seralys independently confirmed the credentials authenticated to three AWS GovCloud accounts at high privilege levels.
What Happened
GitGuardian, which continuously scans public code platforms for exposed secrets, identified the "Private-CISA" repository after its automated alerts to the repository owner went unanswered. The archive belonged to a CISA contractor and contained cloud keys, API tokens, plaintext passwords, system logs, build pipeline documentation, and other sensitive operational assets tied to CISA and its parent agency, the Department of Homeland Security. Commit history reviewed by Valadon shows the administrator had explicitly disabled GitHub's default push protection feature, which is designed to block secrets such as SSH keys and access tokens from being committed to public repositories. The repository was taken offline over the weekend prior to publication.
What Was Taken
The exposed material reportedly included credentials for three AWS GovCloud accounts at a high privilege level, plaintext credentials to CISA's internal Artifactory instance (the repository housing all code packages used to build agency software), passwords stored in plaintext within CSV files, backup archives committed directly to the git history, and internal documentation describing how CISA builds, tests, and deploys software. Because GovCloud is the AWS environment purpose built for U.S. government workloads with regulated data, privileged credentials there carry significant blast radius. Access to the Artifactory would additionally allow tampering with the supply chain of software components consumed across CISA development pipelines.
Why It Matters
CISA is the federal agency tasked with defending civilian government networks and coordinating national cyber defense, which makes a leak of this nature particularly damaging to public trust and operational security. The combination of cloud control plane access and software supply chain access is the worst case pairing for a defender: an adversary in possession of these secrets could pivot between infrastructure manipulation in GovCloud and poisoning of build artifacts distributed internally. Even after rotation, agencies must assume any system that consumed packages from the Artifactory or interacted with the affected GovCloud accounts during the exposure window requires forensic review. The incident also underscores that contractor accounts remain a soft underbelly of federal cybersecurity, often operating with elevated access but inconsistent enforcement of platform safeguards.
The Attack Technique
This was a self inflicted exposure rather than an external intrusion. The contractor committed sensitive material directly to a public repository and actively disabled GitHub's native push protection, the platform feature that would otherwise have blocked the commits containing detectable secrets. There is no public indication yet of whether unauthorized parties accessed or exploited the credentials during the window the repository was live, but GitGuardian's discovery model assumes that any secret committed to a public repository should be treated as compromised the moment it is pushed, given the prevalence of automated scrapers monitoring GitHub's event stream.
What Organizations Should Do
- Enforce GitHub push protection and secret scanning at the organization level, and remove the ability for individual developers or admins to opt out for repositories that may touch production or government workloads.
- Audit all contractor and third party GitHub accounts that interact with internal systems, and require those accounts to be enrolled in SSO with mandatory MFA and centralized logging.
- Rotate any credentials that may have transited a developer endpoint, version control system, or build artifact, and assume long lived static AWS access keys are unsafe; migrate to short lived IAM Identity Center sessions or workload identity federation.
- Treat artifact repositories such as Artifactory, Nexus, and internal package registries as crown jewels: scope credentials narrowly, enforce signed artifacts, and monitor for anomalous publish events.
- Run continuous secret scanning across both public and private repositories, expand coverage to gists, CI logs, and container images, and integrate findings into the incident response process with defined rotation SLAs.
- Conduct tabletop exercises that specifically model contractor credential exposure as the initial access vector, including downstream supply chain impact on dependent agencies and partners.
Sources: CISA Admin Leaked AWS GovCloud Keys on Github – Krebs on Security