CISA Under Fire After Contractor Leaks AWS GovCloud Keys on Public GitHub
Table of Contents
A Security Agency’s Security Lapse
The agency tasked with shielding the United States’ critical infrastructure from cyberattacks is currently facing a reckoning of its own. Lawmakers from both houses of Congress are demanding detailed explanations from the Cybersecurity & Infrastructure Security Agency (CISA) after it was revealed that a contractor intentionally published a trove of agency secrets—including AWS GovCloud keys—to a public GitHub account.
The breach, first reported by KrebsOnSecurity, centers on a public profile dubbed “Private-CISA.” According to the report, a contractor with administrative access to CISA’s code development platform used the repository as a makeshift scratchpad. The fallout was immediate: dozens of plaintext credentials for internal CISA systems were exposed to the open internet. More alarming to security researchers is the discovery that the contractor explicitly disabled GitHub’s native protections, which are designed to prevent the accidental publication of sensitive credentials.
While CISA has acknowledged the leak, the agency’s response has been characterized by a level of opacity that has frustrated both legislators and technical experts. In a brief written statement, CISA claimed there is “no indication that any sensitive data was compromised.” However, independent analysis of the now-defunct archive suggests the repository existed as far back as November 2025, leaving a significant window for adversaries to harvest the data.
Political Fallout and Internal Turmoil
The leak has sparked a sharp reaction on Capitol Hill. Senator Maggie Hassan (D-NH) sent a formal letter to CISA’s Acting Director, Nick Andersen, questioning how such a fundamental security failure could occur at the very heart of the nation’s cyber defense apparatus. Hassan’s inquiry focuses on whether the lapse is a symptom of broader systemic failures within the agency’s internal policies.
The timing of the breach is particularly precarious. Senator Hassan noted that the incident coincides with a period of severe internal instability at CISA. The agency recently saw a massive exodus of talent, losing over a third of its workforce and nearly all its senior leadership following a wave of forced early retirements and resignations during the previous administration’s tenure.
Representative Bennie Thompson (D-MS), ranking member of the House Homeland Security Committee, echoed these concerns in a letter co-signed by Rep. Delia Ramirez (D-Ill). Thompson suggested the incident points to a “diminished security culture” and an inability to manage contract support. He warned that for adversaries like China, Russia, and Iran, the “Private-CISA” repository essentially served as a roadmap for gaining persistence within federal networks.
The Struggle to Contain the Breach
Even after the leak was flagged by the security firm GitGuardian, CISA appeared to struggle with the remediation process. Dylan Ayrey, creator of the secret-scanning tool TruffleHog, revealed that more than a week after the initial notification, several critical keys remained active.
One particularly egregious example was an RSA private key that granted full access to a GitHub app owned by the CISA enterprise account. Ayrey noted that an attacker possessing this key could potentially read source code from every repository in the CISA-IT organization, modify administrative settings, and hijack CI/CD (Continuous Integration/Continuous Delivery) pipelines to inject malicious code into software deployments.
Although CISA reportedly invalidated that specific RSA key after being notified by KrebsOnSecurity, Ayrey indicated that other leaked credentials tied to critical security technologies across the agency’s portfolio have still not been rotated.
The risk is not theoretical. Because GitHub publishes a live feed of all commits to public repositories, both security researchers and cybercriminals monitor these “firehoses” in real-time. According to Ayrey, there is strong evidence that attackers monitor these events specifically to pounce on API and SSH keys the moment they appear. Given that some of the most sensitive exposures occurred in late April 2025, it is highly probable that foreign intelligence services or cybercrime syndicates are already in possession of the data.
