A significant security oversight has led to the exposure of sensitive U.S. government cloud credentials. The incident occurred when a contractor associated with the Cybersecurity and Infrastructure Security Agency (CISA) inadvertently made these credentials public on GitHub.
Details of the Exposure
The GitHub repository, titled ‘Private-CISA,’ was accessible to the public until mid-May 2026. It contained various sensitive data, including AWS GovCloud credentials, plaintext passwords, API tokens, and internal system information. Security experts caution that this breach could be one of the most severe government data exposures in recent history.
Guillaume Valadon, a researcher at GitGuardian, was the first to discover this security flaw. GitGuardian is known for its continuous scanning of public repositories for exposed sensitive information. Valadon reported that the repository held extremely critical data, and initial attempts to contact the owner were unsuccessful. The findings were later shared with KrebsOnSecurity, leading to a deeper investigation.
Implications of the Credential Exposure
The exposed repository included administrative credentials for at least three AWS GovCloud environments, specifically crafted for managing sensitive U.S. government operations. Additionally, a file named ‘AWS-Workspace-Firefox-Passwords.csv’ revealed numerous plaintext usernames and passwords linked to CISA’s internal systems, including a DevSecOps environment known as ‘LZ-DSO.’
Philippe Caturegli, founder of Seralys, a security consulting firm, verified that some AWS credentials were still active at the time of discovery, granting significant access privileges. The repository also contained credentials for CISA’s internal artifactory, a centralized system for managing and distributing software components. Such access could allow malicious actors to embed dangerous code into legitimate software updates, impacting numerous systems during deployment.
Security Concerns and Reactions
The incident drew attention to inadequate security practices, as sensitive information was stored in plain text, and GitHub’s secret scanning features were disabled. Commit logs suggest the repository might have been used for file synchronization rather than secure development. Caturegli noted, ‘The patterns indicate potential use for file syncing between different machines, perhaps work and home, which exacerbates the risk.’
KrebsOnSecurity reported that the exposed repository was linked to a contractor from Nightwing, a government services provider, active since 2018. Despite being taken offline soon after being reported, the AWS credentials remained valid for nearly 48 hours, expanding the risk window.
CISA confirmed the incident and announced an ongoing investigation, emphasizing no current evidence of exploitation but highlighting the implementation of additional security measures. The breach occurs amidst challenging times for CISA, which faces workforce reductions due to budget cuts and restructuring. Experts warn that such pressures can elevate the chances of misconfigurations and human errors.
Ultimately, this incident highlights a crucial cybersecurity lesson: even highly secure environments can be compromised by simple mistakes such as inadequate credential management and unsafe development practices.
