CISA GitHub Leak: Contractor’s Public Repo Exposed GovCloud Keys and Passwords

CISA probes months-long GitHub exposure of internal credentials as Congress seeks answers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is investigating a significant data exposure after a contractor’s public GitHub repository left reams of internal credentials — including highly privileged AWS GovCloud keys and plaintext passwords — accessible on the open web. The incident, first detailed on May 18, 2026, has already prompted a request for a classified congressional briefing. (krebsonsecurity.com )

What was exposed

Security researchers who reviewed the repository say it contained a wide array of secrets and internal artifacts: cloud access keys and tokens, spreadsheets of plaintext usernames and passwords, CI/CD logs, deployment documentation, Kubernetes manifests, and GitHub workflow automations. A file labeled “importantAWStokens” reportedly included administrative credentials to three AWS GovCloud accounts, and another file — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext credentials for dozens of internal CISA systems. (krebsonsecurity.com )

CISA told reporters it is aware of the exposure and is reviewing the scope, but said “currently, there is no indication that any sensitive data was compromised as a result of this incident.” (krebsonsecurity.com )

How it was found — and how long it was public

GitGuardian researcher Guillaume Valadon discovered the repository in mid-May after the company’s public monitoring flagged leaked secrets. He notified journalist Brian Krebs when initial outreach to the account owner went unanswered. According to reporting and researcher analysis, the repository was created on November 13, 2025, remained publicly accessible for roughly six months, and was taken down after media and researchers escalated the alert to CISA. Researchers also said some exposed AWS keys remained valid for approximately 48 hours after the takedown. (krebsonsecurity.com )

Dark Reading reports the public archive totaled roughly 844 MB of data, underscoring the breadth of exposed material. (darkreading.com )

Who owned the repository

A review of the GitHub account and exposed passwords indicated the repository — ironically named “Private‑CISA” — was maintained by an employee of Nightwing, a government contractor based in Dulles, Virginia. Nightwing declined to comment and referred questions to CISA. (krebsonsecurity.com )

A preventable failure in basic controls

Commit logs examined by researchers show the administrator disabled GitHub’s default protections that block publishing SSH keys and other secrets, while multiple credentials were stored in plaintext CSV files. Security experts characterized the exposure as a textbook breakdown in secrets management that allowed sensitive keys, passwords, and internal build artifacts to reside in a public repo. (krebsonsecurity.com )

Why this matters

• Cloud impact: Researchers validated that the leaked credentials could authenticate to three AWS GovCloud accounts at a high privilege level, potentially opening doors to sensitive federal workloads hosted in GovCloud. (krebsonsecurity.com )
• Supply‑chain risk: The archive reportedly included credentials to CISA’s internal “artifactory,” raising the specter of software supply‑chain tampering if attackers had leveraged access to implant backdoors into build pipelines. (krebsonsecurity.com )
• Depth of exposure: The combination of plaintext passwords, automation configs, and internal deployment notes can dramatically accelerate adversary reconnaissance and lateral movement if obtained during the exposure window. (darkreading.com )

Official response and Hill reaction

CISA says it is investigating and, as of May 19, 2026, has “no indication” that sensitive data was compromised. Meanwhile, Sen. Maggie Hassan (D‑N.H.) requested an urgent classified briefing from acting CISA Director Nick Andersen, marking the first formal congressional response to the leak. (krebsonsecurity.com )

Context: a stressed cyber agency

CISA has faced well‑documented workforce and resource strains this year, with reporting noting significant attrition and operational headwinds. Observers warn that reduced staffing and tool sprawl can erode governance over contractor practices and internal security hygiene — the very guardrails that might have prevented this exposure. (cybersecuritydive.com )

Key timeline

• Nov 13, 2025: “Private‑CISA” repository created on GitHub. (krebsonsecurity.com )
• May 14–15, 2026: GitGuardian detects exposed secrets; researcher contacts media after alerts to the account owner go unanswered. (krebsonsecurity.com )
• May 18, 2026: KrebsOnSecurity publishes initial report. (krebsonsecurity.com )
• May 19, 2026: Axios reports Congress seeks a classified briefing; CISA reiterates no current indication of compromise. (axios.com )

What we still don’t know

• Whether any actors accessed or used the exposed keys during the public window. CISA has not disclosed forensic findings to date. (krebsonsecurity.com )
• The full list of affected systems and the scope of any key rotation and credential invalidation completed after discovery. (krebsonsecurity.com )
• How the repository became public and why default secret‑scanning protections were disabled. (krebsonsecurity.com )

Early lessons for every organization

The incident echoes a larger trend of secret sprawl across public code platforms. Practical steps teams can apply immediately:

• Enforce least privilege and short‑lived credentials for cloud access; require rapid rotation on suspected exposure. (darkreading.com )
• Mandate organization‑level secret scanning and blocking on all repos; do not allow developers to disable these protections. (krebsonsecurity.com )
• Keep credentials out of code and documents; store them in a managed secrets vault and provision them at runtime. (darkreading.com )
• Treat logs, CI/CD artifacts, and configuration files as sensitive; exclude them from public repositories by default. (darkreading.com )
• Use honeytokens to detect and validate potential key misuse quickly when a leak is suspected. (docs.gitguardian.com )

The bottom line

A single mismanaged repository appears to have exposed privileged keys and internal maps to the very agency charged with securing U.S. civilian networks. While officials say there is no current evidence of data compromise, the combination of GovCloud access, plaintext passwords, and build‑system artifacts makes this one of the most consequential public credential leaks involving a federal cyber agency in recent memory — and it has already sparked scrutiny on Capitol Hill. The investigation’s findings — particularly around key usage during the exposure window and the rigor of post‑incident rotation — will determine whether this remains a near‑miss or becomes a case study in how public code platforms can quickly magnify basic mistakes into national‑level risk. (krebsonsecurity.com )