CISA Admin Leaked AWS GovCloud Keys on Github

The Cybersecurity and Infrastructure Security Agency (CISA) suffered a high‑profile data breach when a contractor’s public GitHub repository, dubbed “Private‑CISA,” exposed administrative credentials for three AWS GovCloud accounts, dozens of plaintext passwords, and internal build artifacts. The repository, active since November 2025, contained CSV files with unencrypted secrets and even a file that disabled GitHub’s built‑in secret‑scanning feature. Security researcher Guillaume Valadon of GitGuardian flagged the repo on May 15, prompting a rapid takedown, yet the AWS keys remained functional for another 48 hours.

The leak underscores a systemic lapse in basic cloud‑security hygiene within a federal agency already grappling with budget cuts and a 30 percent workforce reduction. Disabling GitHub’s secret‑detection and storing passwords in plain text violate NIST guidelines and expose the agency to lateral‑movement attacks through its own artifact repository. For government contractors, the episode highlights the need for strict credential‑management policies, mandatory use of secret‑scanning tools, and continuous monitoring of privileged access to prevent similar exposures.

Beyond CISA, the incident serves as a cautionary tale for any organization that treats public code platforms as informal scratchpads. Attackers routinely harvest exposed keys to establish footholds in supply‑chain environments, and the persistence of valid AWS credentials after removal illustrates the speed at which damage can accrue. Enterprises should enforce least‑privilege principles, rotate secrets promptly after any exposure, and integrate automated remediation workflows. As the federal sector tightens its cyber‑risk posture, the Private‑CISA breach will likely accelerate policy reforms around contractor oversight and cloud‑security governance.