SYS::ONLINE
Wasteland.
Briefs1161
Issues19
SinceFeb 2026
LIVE
▣ Breach CISA-GITHUB-CREDEN 2026-07-13

CISA: Contractor Leaked AWS GovCloud Credentials on GitHub

"The Cybersecurity and Infrastructure Security Agency has published an after-action review confirming that a contractor exposed AWS GovCloud keys, administrative and build credentials, and Infrastructure-as-Code files in…"

The Cybersecurity and Infrastructure Security Agency has published an after-action review confirming that a contractor exposed AWS GovCloud keys, administrative and build credentials, and Infrastructure-as-Code files in a public GitHub repository for roughly six months. CISA began its response on Friday, May 15, 2026, after an investigative reporter flagged the internal credentials. The agency says forensic evidence shows the credentials were not used outside its own environments, and no customer or mission data was exposed. Security firm GitGuardian's account puts the exposed repository at approximately 844MB across its working tree and Git history.

What Happened

The exposure did not originate from CISA's official GitHub organization. According to the agency's "Lessons from CISA's Cyber Incident" report, a contracted employee copied build and deployment repositories from the development environment into a personal GitHub account, reportedly to automate the creation of cloud infrastructure. That personal repository was public.

CISA learned of the problem only when an investigative reporter contacted the agency on May 15, 2026. The reporter had been tipped by a security researcher whose company continuously scans public repositories for exposed secrets, and that researcher kept feeding information to CISA throughout the investigation. The Office of the Chief Information Officer immediately prioritized eliminating the public exposure and preventing further harm.

What Was Taken

The public repository was a near-complete picture of how CISA builds and ships software. It contained AWS GovCloud access keys, administrative and build credentials tied to the development environment, and detailed information about the agency's software deployment setup.

GitGuardian's breakdown of the roughly 844MB of data describes a comprehensive haul: CI/CD logs, Terraform code, Kubernetes manifests, ArgoCD files, GitHub Actions workflows, internal documents, scripts, and credentials. The dangerous part was not any single secret but the combination. Live credentials sat alongside the technical documentation and Infrastructure-as-Code that explained exactly how the environment worked, handing any finder both the keys and the map. CISA reported no confirmed external misuse of the credentials and no evidence that customer or mission data was exposed.

Why It Matters

This is a textbook insider-driven cloud exposure, and it landed on the agency whose mission is to help everyone else avoid it. No adversary breached a perimeter. A trusted contractor moved sensitive repositories to a convenient personal account, and automated secret-scanning bots that crawl GitHub around the clock did the rest. The six-month window is the number defenders should sit with. Exposed cloud keys are typically discovered by attackers within minutes to hours, so a half-year of public visibility for GovCloud admin credentials is an extraordinary amount of dwell-time risk, even if forensics ultimately found no abuse.

The incident also underscores that Infrastructure-as-Code is sensitive intelligence in its own right. Terraform, Kubernetes manifests, and ArgoCD definitions describe the blast radius of a compromise before a single credential is used. When that context leaks next to working keys, the attacker's reconnaissance phase is done for them.

The Attack Technique

There was no external intrusion. The root cause was an authorized insider mishandling data: a contractor with legitimate access copied build and deployment code, including embedded credentials, into a personal GitHub account outside organizational control. This bypassed whatever access controls, monitoring, and secret-management existed inside CISA's own GitHub organization.

Discovery followed the now-standard secret-sprawl pattern. Continuous scanners operated by security vendors constantly index newly pushed public repositories, matching content against known credential formats such as AWS access keys. Once flagged, the finding traveled through a researcher and a journalist before reaching CISA, meaning external parties were aware of the exposure before the agency was.

What Organizations Should Do

Sources: CISA Shares Lessons After Contractor Leaked AWS GovCloud Credentials on GitHub