CISA Contractor Leaked High-Privilege AWS GovCloud Keys in Public GitHub Repo
Table of Contents
A Textbook Case of Security Negligence
The agency tasked with safeguarding the United States’ critical infrastructure recently found its own house in disorder. In a breach that security experts are calling one of the most egregious government data leaks in recent history, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) left a treasure trove of highly privileged credentials and internal system details open to the public on GitHub.
The repository, titled “Private-CISA,” functioned less like a professional code project and more like a personal scratchpad. It contained a staggering array of sensitive assets: cloud keys, authentication tokens, plaintext passwords, and internal logs. More alarming was the discovery that the administrator had explicitly disabled GitHub’s built-in secrets detection—a feature designed specifically to prevent users from accidentally publishing SSH keys or passwords to public repositories.
The exposure was first flagged by Guillaume Valadon, a researcher at the security firm GitGuardian. Valadon, whose company monitors public repositories for exposed secrets, noted that the lack of response from the account owner prompted a more urgent escalation. “Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon noted, adding that the depth of the leak was so severe he initially suspected the data was fake.
The Keys to the Kingdom
The technical specifics of the leak suggest a massive vulnerability. Among the exposed files was one titled “importantAWStokens,” which provided administrative access to three Amazon AWS GovCloud servers. Another file, “AWS-Workspace-Firefox-Passwords.csv,” listed plaintext credentials for dozens of internal CISA systems, including one identified as “LZ-DSO,” believed to be the agency’s Landing Zone DevSecOps environment—the very place where secure code is developed and deployed.
Philippe Caturegli, founder of Seralys, validated that the exposed keys provided high-level privilege access. Of particular concern is the exposure of CISA’s internal “artifactory,” the repository where the agency stores the code packages used to build its software. For a sophisticated threat actor, this is a goldmine; it allows for “lateral movement,” where an attacker could potentially inject backdoors into software packages that are then automatically deployed across CISA’s rest of its infrastructure.
Further analysis of the repository revealed a disturbing lack of basic password hygiene. Many of the exposed credentials followed a predictable pattern, consisting of the platform’s name followed by the current year—a practice that would be considered a critical risk in any professional environment, let alone a national security agency.
Accountability and Agency Response
The repository was traced back to an employee of Nightwing, a government contractor based in Dulles, Virginia. When approached for comment, Nightwing declined to provide a statement and directed all inquiries to CISA.
In a statement, a CISA spokesperson acknowledged the exposure and stated that the agency is investigating the incident. “Currently, there is no indication that any sensitive data was compromised as a result of this incident,” the spokesperson said, adding that the agency is working to implement additional safeguards.
However, the timeline of the remediation process raises further questions. While the GitHub account was taken offline shortly after notifications were sent by researchers, Caturegli reported that the exposed AWS keys remained valid and active for another 48 hours after the repository disappeared, leaving a window of opportunity for anyone who had already mirrored the data.
This lapse comes at a time of significant internal transition for CISA. The agency has seen its workforce shrink by nearly a third since the start of the second Trump administration, following a wave of early retirements, buyouts, and resignations. Whether this staffing crisis contributed to the oversight in contractor monitoring remains a point of contention among industry observers.
