‘The Worst Leak I’ve Witnessed’: A CISA Contractor Left AWS GovCloud Credentials Sitting In A Public GitHub Repo

The recent CISA incident underscores how a single misconfiguration can jeopardize an entire federal cloud environment. By publishing a public GitHub repository titled “Private‑CISA,” a contractor exposed high‑privilege AWS GovCloud keys, plaintext passwords, and internal development artifacts. The repository’s owner deliberately turned off GitHub’s secret‑scanning safeguards, a step that violates basic DevSecOps best practices. Although the repository was taken down after alerts from security researchers, the exposed credentials remained valid for 48 hours, giving threat actors a narrow window to gain footholds in critical government systems.

Beyond the immediate technical fallout, the breach reflects deeper organizational challenges within the Cybersecurity and Infrastructure Security Agency. Since late 2020, CISA has endured leadership turnover, politicized staffing cuts, and a shift in focus away from core cybersecurity functions. The loss of experienced personnel likely contributed to lax secret‑management discipline and an environment where basic security controls were ignored. For a agency tasked with safeguarding the nation’s digital infrastructure, such gaps amplify the risk of supply‑chain attacks, ransomware, and espionage targeting the government’s most sensitive cloud workloads.

The episode serves as a cautionary tale for all public‑sector entities that rely on cloud services. Implementing automated secret‑detection, enforcing strict .gitignore policies, and maintaining rapid credential rotation are non‑negotiable safeguards. Moreover, rebuilding CISA’s technical talent pool and insulating the agency from political interference are essential steps to restore credibility. As regulators and industry partners watch closely, the incident may accelerate legislative pushes for standardized cloud‑security frameworks across federal agencies, ensuring that similar oversights are caught before they become exploitable vulnerabilities.