CISA Admin Leaked AWS GovCloud Keys on Github

Until the past weekend, a contractor working for the Cybersecurity & Infrastructure Security Agency (CISA) managed a public GitHub repository that unintentionally exposed credentials associated with several highly privileged AWS GovCloud accounts, as well as a significant number of internal CISA systems. Security experts indicate that this incident included files outlining CISA's internal software development processes and represents one of the most severe data leaks involving government information in recent history.

On May 15, KrebsOnSecurity was alerted by Guillaume Valadon, a researcher from the security firm GitGuardian, which routinely scans public code repositories at GitHub and other platforms for exposed sensitive data. Valadon reached out to notify that the owner of this particular repository was unresponsive, which was alarming given the sensitive nature of the exposed information.

The GitHub repository identified by Valadon was titled "Private-CISA" and contained numerous internal CISA/DHS credentials and sensitive files, including cloud keys, tokens, plaintext passwords, logs, and other critical assets.

Valadon highlighted that the exposed CISA credentials exemplify a lack of security best practices. The commit history on the compromised GitHub account indicated that the CISA administrator had altered the default GitHub setting that prevents users from publishing SSH keys or other secrets in public repositories.

"Passwords stored in plain text in a CSV, backups in git, explicit commands to disable GitHub's secrets detection feature," Valadon stated in an email. "Initially, I thought it might be a hoax before examining the content more closely. This is truly the most significant leak I have encountered in my career. While it appears to be an individual error, it may also expose internal procedural weaknesses."

Among the compromised files was one named "importantAWStokens," which contained administrative credentials for three Amazon AWS GovCloud servers. Another file, "AWS-Workspace-Firefox-Passwords.csv," listed plaintext usernames and passwords for numerous internal CISA systems. According to Caturegli, these systems included one labeled "LZ-DSO," likely an abbreviation for "Landing Zone DevSecOps," CISA's secure development environment.

Philippe Caturegli, founder of the security consultancy Seralys, stated he verified the AWS keys to test their validity and to understand which internal systems the exposed accounts could access. Caturegli noted that the GitHub account displaying the CISA secrets reflected a pattern of an individual using the repository as an informal workspace rather than as a properly curated project repository.

"The presence of both a CISA-associated email address and a personal email address indicates the repository might have been used across different configurations," Caturegli observed. "The available Git metadata alone does not confirm which endpoint or device was used."

Caturegli confirmed that the exposed credentials could access three AWS GovCloud accounts with elevated privileges. He further indicated that the archive contained plaintext credentials for CISA's internal "Artifactory," which is essentially a repository for the code packages used in their software development processes. This represents a valuable target for cybercriminals seeking to establish a foothold within CISA systems.

"This would be a prime opportunity for lateral movement," he explained. "One could inject a backdoor into software packages, resulting in the potential deployment of that backdoor every time a new build is created."

In response to inquiries, a CISA spokesperson acknowledged awareness of the exposure and confirmed that an investigation is underway.

"Currently, there is no evidence that any sensitive data was compromised as a result of this incident," the CISA spokesperson remarked. "While we hold our team members to the highest standards of integrity and operational awareness, we are actively working to enhance safeguards to prevent future incidents."

A review of the GitHub account and its exposed passwords revealed that the "Private CISA" repository was managed by an employee of Nightwing, a government contractor located in Dulles, Va. Nightwing declined to offer any comments, redirecting questions to CISA.

While CISA has not disclosed how long the data exposure persisted, Caturegli noted that the Private CISA repository was established on November 13, 2025, while the contractor's GitHub account was registered in September 2018.

The GitHub account that contained the Private CISA repository was deactivated soon after both KrebsOnSecurity and Seralys informed CISA about the exposure. However, Caturegli remarked that the compromised AWS keys inexplicably remained valid for an additional 48 hours.

CISA is currently functioning with significantly reduced budget and staffing levels, having lost nearly one-third of its workforce since the onset of the second Trump administration, which led to a series of early retirements, buyouts, and resignations across various agency divisions.

The now-inactive Private CISA repository revealed that the contractor employed easily guessable passwords for numerous internal resources; for instance, many credentials followed the format of the platform's name paired with the current year. Caturegli emphasized that such practices pose a severe security risk for organizations, even if those credentials are not externally exposed, as threat actors often utilize credentials revealed within internal networks to broaden their access after securing initial entry into a targeted system.

"It is my suspicion that [the CISA contractor] was using this GitHub repository to synchronize files between a work laptop and a personal computer, as evidenced by frequent commits to this repository since November 2025," Caturegli stated. "This incident would be a damaging leak for any organization, but it is particularly troubling given its association with CISA."