CISA’s Own Contractor Leaked AWS GovCloud Keys on GitHub for 6 Months
A CISA contractor exposed AWS GovCloud keys and plaintext passwords on GitHub for six months. Researchers call it the worst government data leak in years.
In Brief
- A CISA contractor exposed admin credentials to multiple AWS GovCloud accounts and dozens of internal systems in a public GitHub repository for at least six months
- The repository, named “Private-CISA,” included plaintext passwords, cloud tokens, and files detailing how the agency builds and deploys software internally
- Security researchers say the leak could have enabled supply-chain attacks on CISA’s own code pipelines — and some AWS keys remained valid 48 hours after takedown
Until this past weekend, a contractor for the Cybersecurity and Infrastructure Security Agency maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security researchers are calling it one of the most egregious government data leaks in recent history.
The repository, named “Private-CISA,” was maintained by an employee of Nightwing, a government contractor based in Dulles, Virginia. It contained a file called “importantAWStokens” with administrative credentials to three AWS GovCloud servers, and another called “AWS-Workspace-Firefox-Passwords.csv” listing plaintext usernames and passwords for dozens of internal CISA systems.
Guillaume Valadon, a researcher with GitGuardian, flagged the exposure on May 15 after the repository owner failed to respond to automated alerts. Valadon said the contractor had deliberately disabled GitHub’s built-in secret scanning feature. Philippe Caturegli of Seralys independently validated the credentials, confirming they could authenticate to three AWS GovCloud accounts at a high privilege level.
The archive also included access to CISA’s internal artifactory — a repository of all code packages the agency uses to build software. Caturegli told KrebsOnSecurity that would be a prime place to move laterally, since backdooring a software package there would deploy malicious code across every new CISA build. The repository was created on November 13, 2025, and some exposed AWS keys remained valid for up to 48 hours after takedown.
CISA confirmed it is investigating but said there is no indication that any sensitive data was compromised. The agency has lost nearly a third of its workforce since the start of the second Trump administration — a staffing crisis that raises questions about oversight of contractors. The incident comes amid a wave of high-profile breaches, including a ransomware attack on Foxconn that compromised 8TB of Apple and NVIDIA data. Nightwing declined to comment.
FAQ
What was exposed in the CISA GitHub leak?
Administrative credentials for three AWS GovCloud accounts, plaintext passwords for dozens of internal CISA systems, access tokens, and detailed files showing how CISA builds, tests, and deploys software internally.
How long were the credentials exposed?
The Private-CISA repository was created on November 13, 2025, and remained publicly accessible until it was taken offline over the weekend of May 17–18, 2026 — roughly six months. Some AWS keys remained valid for 48 hours after takedown.
Who was responsible for the leak?
The repository was maintained by an employee of Nightwing, a government contractor based in Dulles, Virginia. The contractor used both a CISA-associated email and a personal email address on the account.
