CISA Contractor Exposed AWS GovCloud Keys in Public GitHub Repository, Report Says
Published
Key Takeaways
- Data exposure: A CISA contractor allegedly leaked AWS GovCloud keys and internal credentials via a public GitHub repository.
- Validated cloud access: Security researchers confirmed the exposed credentials granted high-level access to three AWS GovCloud accounts.
- Delayed access revocation: Although the repository was taken offline, the exposed AWS keys remained valid for another 48 hours.
A contractor working for the Cybersecurity and Infrastructure Security Agency (CISA) maintained a public GitHub repository named "Private-CISA" that exposed credentials to several highly privileged AWS GovCloud accounts and internal CISA systems. The repository was created on November 13, 2025, and was reportedly maintained by an employee of the government contractor Nightwing.
The public archive included cloud keys, authentication tokens, plaintext passwords, operational logs, and internal files detailing exactly how CISA builds, tests, and deploys software.
Discovery and Validation of Exposed Assets
Guillaume Valadon of the security firm GitGuardian contacted KrebsOnSecurity on May 15 regarding the exposed repository. Philippe Caturegli of the security consultancy Seralys subsequently reviewed the leaked data. Caturegli stated that he validated the exposed credentials of three distinct AWS GovCloud accounts with high privileges found in one of the exposed files, titled “importantAWStokens.”
The repository contained a vast array of sensitive assets that could grant persistent access to the agency's secure code development environment and internal network, as a public GitHub repository file, “AWS-Workspace-Firefox-Passwords.csv,” listed plaintext credentials for several internal CISA systems, including one called “LZ-DSO.” The name appears short for “Landing Zone DevSecOps,” the agency’s secure code development environment.
The archive also includes plaintext credentials for CISA’s internal repository of code packages for building software, he said.
“What I suspect happened is [the CISA contractor] was using this GitHub to synchronize files between a work laptop and a home computer, because he has regularly committed to this repo since November 2025,” Caturegli said.
Agency Response and Remediation
Following notification from security experts, the GitHub account hosting the Private-CISA repository was taken offline. However, the report mentions that Caturegli said the compromised AWS keys remained valid for another 48 hours before being revoked.
In response to the incident, CISA announced that it is actively investigating the situation. An agency spokesperson stated that there is currently no indication that any sensitive data was compromised as a result of this credential exposure.
CISA also noted it is working to implement additional safeguards to prevent similar administrative occurrences in the future.
Last month, ClickUp hardcoded API key exposed almost 1,000 customer emails, Including government and corporate giants. In May 2025, misconfigurations across seven cloud providers exposed several buckets, files, credentials and more.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular