CISA's GovCloud Keys on GitHub: When a Scratchpad Becomes a Breach
The security of sensitive information is a constant challenge, often undermined by fundamental operational oversights. When a CISA contractor posts highly privileged CISA GovCloud keys to a public GitHub repository, it signals a fundamental breakdown in security controls, a scenario that precisely materialized at CISA.
The Incident: Public CISA GovCloud Keys, Private Systems
On May 15, 2026, Guillaume Valadon from GitGuardian alerted KrebsOnSecurity to a public GitHub repository named "Private-CISA." This repository, maintained by a CISA contractor employed by Nightwing, a government contractor based in Dulles, Va., contained sensitive data. It exposed credentials for several highly privileged AWS GovCloud accounts, alongside access details for numerous internal CISA systems.
The contractor established the GitHub account in September 2018 and created the "Private-CISA" repository on November 13, 2025. For months, from November 2025 through May 2026, regular commits were made to this public repository. The exposed data included cloud keys, tokens, plaintext passwords, logs, and files detailing CISA's internal software build, test, and deployment processes. Philippe Caturegli, co-founder of Seralys, independently validated administrative credentials to three Amazon AWS GovCloud servers from the leak.
One file, "AWS-Workspace-Firefox-Passwords.csv," contained plaintext usernames and passwords for dozens of internal CISA systems, including "LZ-DSO". Credentials for CISA’s internal "artifactory," a repository for code packages, were also exposed.
KrebsOnSecurity and Seralys notified CISA, leading to the repository's takedown over the weekend of May 16-17, 2026. Significantly, the exposed AWS keys remained valid for another 48 hours after the takedown, creating a window for potential exploitation.
How a "Scratchpad" Became a Security Hole
This incident wasn't complex; it stemmed from a series of basic security failures. The contractor used a public GitHub repository as a "working scratchpad or synchronization mechanism" between their work and home computers. This practice represents a significant operational security lapse for handling sensitive government work.
Additionally, the contractor disabled GitHub's default setting that blocks the publication of SSH keys and other secrets in public repositories, a deliberate bypass of a fundamental safeguard. Passwords were then stored in plaintext, often within CSV files. These included credentials for CISA's secure code development environment and its artifactory. Some passwords were even easily guessed, such as a platform name followed by the current year. Such poor credential hygiene significantly elevates the risk of compromise.
The repository also mixed CISA-associated and personal email addresses, blurring the lines between personal and professional use. This often contributes to operational security lapses.
An attacker discovering this repository would have a direct path: download the contents, extract the AWS GovCloud credentials, and authenticate to CISA's GovCloud accounts with high privilege. From there, plaintext credentials for internal systems like LZ-DSO and the artifactory would be accessible. This level of access is particularly concerning. Access to the artifactory, for instance, allows an attacker to establish persistent footholds by backdooring software packages CISA uses internally or distributes—a classic supply chain attack vector (MITRE ATT&CK T1195.002).
The Impact: Beyond "No Indication"
Guillaume Valadon characterized this as "the worst leak that I’ve witnessed in my career." The incident thus revealed direct access to CISA's cloud infrastructure and internal development processes.
Any actor with these CISA GovCloud keys could have authenticated to CISA's AWS GovCloud accounts at a high privilege level. This access inherently carries the risk of exposure for sensitive government data and critical operational infrastructure managed within those GovCloud environments. Furthermore, the exposed credentials for LZ-DSO and the artifactory could facilitate supply chain attacks, enabling the injection of malicious code into CISA's software development lifecycle.
While CISA stated that there is "no indication that any sensitive data was compromised as a result of this incident," this perspective may understate the inherent risk. The 48-hour window during which keys remained valid after CISA was notified confirms a period of vulnerability even post-discovery. This represents a significant confidentiality breach, with severe potential impact, regardless of whether CISA has confirmed actual compromise.
Addressing the Vulnerability
CISA has stated it is investigating and implementing additional safeguards. While CISA's investigation and safeguards are necessary, the incident demands more specific, technical responses.
Effective secret management requires mandatory, automated scanning for credentials before code is committed to any repository, public or private. Tools like GitGuardian, Trufflehog, or AWS Secret Manager's built-in scanning capabilities can detect exposed secrets at the commit stage, preventing them from ever reaching a repository. Plaintext passwords in CSVs are unacceptable, necessitating CISA to enforce the use of secrets managers and secure vaults for all credentials, integrating them into CI/CD pipelines.
Contractor oversight, particularly for third-party contractors, needs significant tightening. This includes stricter security training, clear policies for handling sensitive government data, and regular audits of contractor development environments. Multi-Factor Authentication (MFA) is crucial for all privileged accounts, especially those accessing GovCloud environments, ideally using FIDO2 hardware tokens for phishing resistance. This is particularly vital for protecting CISA GovCloud keys.
Automated credential rotation for cloud keys and other sensitive credentials is also crucial. Furthermore, CISA must move beyond a "no indication of compromise" stance to conduct a thorough, transparent assessment of potential exploitation scenarios and long-term risks. This involves a full forensic analysis to understand the scope of exposure and any potential lateral movement, even if direct data exfiltration is not immediately evident.
The incident serves as a stark reminder that even agencies tasked with national cybersecurity are susceptible to fundamental operational security failures. Treating public GitHub repositories as personal scratchpads is a significant security flaw with serious consequences for an agency tasked with national cybersecurity, particularly regarding CISA GovCloud keys security.
