The Cybersecurity and Infrastructure Security Agency has published an after-action review confirming that a contractor exposed AWS GovCloud keys, administrative and build credentials, and Infrastructure-as-Code files in a public GitHub repository for roughly six months. CISA began its response on Friday, May 15, 2026, after an investigative reporter flagged the internal credentials. The agency says forensic evidence shows the credentials were not used outside its own environments, and no customer or mission data was exposed. Security firm GitGuardian's account puts the exposed repository at approximately 844MB across its working tree and Git history.
What Happened
The exposure did not originate from CISA's official GitHub organization. According to the agency's "Lessons from CISA's Cyber Incident" report, a contracted employee copied build and deployment repositories from the development environment into a personal GitHub account, reportedly to automate the creation of cloud infrastructure. That personal repository was public.
CISA learned of the problem only when an investigative reporter contacted the agency on May 15, 2026. The reporter had been tipped by a security researcher whose company continuously scans public repositories for exposed secrets, and that researcher kept feeding information to CISA throughout the investigation. The Office of the Chief Information Officer immediately prioritized eliminating the public exposure and preventing further harm.
What Was Taken
The public repository was a near-complete picture of how CISA builds and ships software. It contained AWS GovCloud access keys, administrative and build credentials tied to the development environment, and detailed information about the agency's software deployment setup.
GitGuardian's breakdown of the roughly 844MB of data describes a comprehensive haul: CI/CD logs, Terraform code, Kubernetes manifests, ArgoCD files, GitHub Actions workflows, internal documents, scripts, and credentials. The dangerous part was not any single secret but the combination. Live credentials sat alongside the technical documentation and Infrastructure-as-Code that explained exactly how the environment worked, handing any finder both the keys and the map. CISA reported no confirmed external misuse of the credentials and no evidence that customer or mission data was exposed.
Why It Matters
This is a textbook insider-driven cloud exposure, and it landed on the agency whose mission is to help everyone else avoid it. No adversary breached a perimeter. A trusted contractor moved sensitive repositories to a convenient personal account, and automated secret-scanning bots that crawl GitHub around the clock did the rest. The six-month window is the number defenders should sit with. Exposed cloud keys are typically discovered by attackers within minutes to hours, so a half-year of public visibility for GovCloud admin credentials is an extraordinary amount of dwell-time risk, even if forensics ultimately found no abuse.
The incident also underscores that Infrastructure-as-Code is sensitive intelligence in its own right. Terraform, Kubernetes manifests, and ArgoCD definitions describe the blast radius of a compromise before a single credential is used. When that context leaks next to working keys, the attacker's reconnaissance phase is done for them.
The Attack Technique
There was no external intrusion. The root cause was an authorized insider mishandling data: a contractor with legitimate access copied build and deployment code, including embedded credentials, into a personal GitHub account outside organizational control. This bypassed whatever access controls, monitoring, and secret-management existed inside CISA's own GitHub organization.
Discovery followed the now-standard secret-sprawl pattern. Continuous scanners operated by security vendors constantly index newly pushed public repositories, matching content against known credential formats such as AWS access keys. Once flagged, the finding traveled through a researcher and a journalist before reaching CISA, meaning external parties were aware of the exposure before the agency was.
What Organizations Should Do
- Deploy automated secret scanning across every repository, including push-protection that blocks commits containing credentials before they ever reach a remote, and pair it with scanning of public code you do not own for your organization's fingerprints.
- Eliminate long-lived static cloud keys. Use short-lived, federated credentials such as OIDC-based GitHub Actions roles and IAM Identity Center, so a leaked secret expires on its own instead of staying valid for months.
- Enforce organizational controls that prevent copying internal repositories to personal accounts, including SSO-gated Git access, device controls, and DLP policies that flag bulk repository egress.
- Keep credentials out of Infrastructure-as-Code and CI/CD entirely by routing them through a secrets manager or vault with dynamic, auditable retrieval at runtime.
- Rotate any exposed credential immediately and treat the leaked artifact as burned, since Git history preserves secrets long after they are deleted from the working tree.
- Extend security onboarding, monitoring, and offboarding to contractors and third parties with the same rigor applied to employees, and rehearse a response playbook for when the first notification comes from a reporter rather than your own tooling.
Sources: CISA Shares Lessons After Contractor Leaked AWS GovCloud Credentials on GitHub