AWS GovCloud administrative credentials exposed via contractor-managed public GitHub repository

Timeline

1. 18.05.2026 23:48 1 articles · 7h ago

   AWS GovCloud administrative keys and CISA internal credentials exposed via public GitHub repository

   A CISA contractor’s public GitHub repository named "Private-CISA" exposed credentials for three AWS GovCloud accounts with administrative privileges, plaintext passwords for dozens of internal CISA systems, and credentials to CISA’s internal artifactory repository. The repository, created November 13, 2025, and maintained by a Nightwing contractor, contained plaintext passwords, cloud keys, tokens, logs, and software deployment files. The contractor disabled GitHub’s default secrets detection and used the repository as an informal synchronization mechanism between work and personal environments. The exposure was reported by GitGuardian researcher Guillaume Valadon on May 15, 2026, and the repository was taken offline shortly thereafter. However, exposed AWS keys remained valid for an additional 48 hours. CISA is investigating and has stated there is no indication of sensitive data compromise.

   Show sources

   • CISA Admin Leaked AWS GovCloud Keys on Github — krebsonsecurity.com — 18.05.2026 23:48

   Open in new tab

Information Snippets

• A CISA contractor’s public GitHub repository named "Private-CISA" exposed credentials for three AWS GovCloud accounts with administrative privileges, plaintext passwords for internal CISA systems, cloud keys, tokens, logs, and software deployment files.

  First reported: 18.05.2026 23:48
  1 source, 1 article
  Show sources

  • CISA Admin Leaked AWS GovCloud Keys on Github — krebsonsecurity.com — 18.05.2026 23:48

• The exposed repository included credentials for CISA’s internal "artifactory" repository, which hosts software packages used for building CISA systems, potentially enabling supply-chain compromise or persistent backdoors.

  First reported: 18.05.2026 23:48
  1 source, 1 article
  Show sources

  • CISA Admin Leaked AWS GovCloud Keys on Github — krebsonsecurity.com — 18.05.2026 23:48

• The GitHub account owner disabled GitHub’s default settings that block the publication of SSH keys and other secrets in public repositories, and stored passwords in plaintext files such as "AWS-Workspace-Firefox-Passwords.csv".

  First reported: 18.05.2026 23:48
  1 source, 1 article
  Show sources

  • CISA Admin Leaked AWS GovCloud Keys on Github — krebsonsecurity.com — 18.05.2026 23:48

• The "Private-CISA" repository was created on November 13, 2025, and the contractor’s GitHub account dates back to September 2018. The repository was taken offline after notification, but exposed AWS keys remained valid for 48 hours.

  First reported: 18.05.2026 23:48
  1 source, 1 article
  Show sources

  • CISA Admin Leaked AWS GovCloud Keys on Github — krebsonsecurity.com — 18.05.2026 23:48

• CISA spokesperson stated there is no indication of sensitive data compromise resulting from the exposure and that additional safeguards are being implemented.

  First reported: 18.05.2026 23:48
  1 source, 1 article
  Show sources

  • CISA Admin Leaked AWS GovCloud Keys on Github — krebsonsecurity.com — 18.05.2026 23:48

• The contractor, employed by Nightwing, used easily guessable passwords for internal resources (e.g., platform name followed by the current year) and the repository appears to have been used as a synchronization mechanism between work and personal devices.

  First reported: 18.05.2026 23:48
  1 source, 1 article
  Show sources

  • CISA Admin Leaked AWS GovCloud Keys on Github — krebsonsecurity.com — 18.05.2026 23:48