CISA Contractor Exposed High-Privilege AWS GovCloud Keys in Public GitHub Repository
A massive data leak involving internal CISA credentials occurred after a contractor disabled security features on a public code repository.
Primary source: Krebs on Security. Full source links and update notes are below.
Fast summary
Start here
- A public GitHub repository named "Private-CISA" contained plaintext passwords and administrative AWS GovCloud keys.
- The leak resulted from a contractor manually disabling GitHub's default secret detection features.
- Exposed files included credentials for CISA's internal 'artifactory' and DevSecOps development environments.
What happened
A contractor for the Cybersecurity & Infrastructure Security Agency (CISA) inadvertently exposed sensitive credentials and internal documentation on a public GitHub repository. The archive, discovered by researchers at the security firm GitGuardian, included administrative access to several AWS GovCloud servers and plaintext passwords for dozens of internal agency systems. Security experts have described the exposure as one of the most significant government data leaks in recent history.
What's new in this update
Security researcher Guillaume Valadon and Seralys founder Philippe Caturegli confirmed that the repository, titled "Private-CISA," acted as a working scratchpad for an administrator. Investigation of the commit logs revealed that the administrator explicitly disabled GitHub's automated secret detection features, which are designed to prevent the publication of SSH keys and tokens. CISA has confirmed it is aware of the exposure and is currently investigating the scope of the incident.
Key details
Among the leaked assets was a file named "AWS-Workspace-Firefox-Passwords.csv" which listed plaintext credentials for internal systems, including the agency's "Landing Zone DevSecOps" environment. Additionally, the leak exposed credentials for CISA's internal "artifactory," which houses the code packages used to build agency software. Experts warn that access to this repository could allow a malicious actor to maintain a persistent foothold by injecting backdoors into software packages during the build process.
Background and context
CISA is the primary federal agency tasked with protecting U.S. critical infrastructure and federal networks from cyberattacks. The leak appears to be the result of poor security hygiene by a single individual who used a public repository to synchronize data across different environments. The repository included both personal and CISA-associated email addresses, suggesting the contractor may have bypassed agency security protocols to facilitate their workflow.
What to watch next
The agency is currently working to determine if any unauthorized parties accessed the credentials before the repository was taken down. Observers will be looking for whether CISA implements stricter oversight for contractor-managed code repositories and if the agency will mandate hardware-based authentication or other secondary controls to prevent plaintext password leaks from compromising high-privilege cloud environments.
Why it matters
This breach exposes the internal infrastructure of the U.S. government's lead cybersecurity agency, potentially allowing attackers to compromise federal software supply chains.
Read next
Follow this story through the topic hub, more security coverage, and the latest updates.
Weekly briefing
Get the week's key developments in one concise email.
Get a fast catch-up on the biggest stories, the context behind them, and the links worth your time.
Cadence
Weekly, for a quick catch-up
Coverage
AI, business, world, security, sports
Format
Clear takeaways and useful context
Request the briefing
Leave your email to open a prepared request and get on the list for the weekly briefing.
Author
See who assembled this story and follow more of their work.
Sources and methodology