Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

CISA contractor GitHub repository exposed internal credentials

Data Leak
First reported
Last updated
Happening score
H score 26
1 unique sources, 2 articles

Summary

Hide ▲

A CISA contractor left a public GitHub repository exposing AWS GovCloud credentials and internal access material, creating a serious data leak involving sensitive government systems. The repository, Private-CISA, contained cloud keys, tokens, and plaintext passwords for internal CISA resources. Researchers later validated that the exposed credentials could access three AWS GovCloud accounts at a high privilege level. The exposure was removed, but the leaked material had already created a significant risk of unauthorized access and lateral movement.

Related Happenings

Congress demands CISA answers on GitHub credential leak

Public Sector Action
First: 22.05.2026 19:34 Last: 22.05.2026 19:34 Sources 1

How related: Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account.

About this happening: **Lawmakers in both houses of Congress** demanded answers from **CISA** after a contractor exposed **AWS GovCloud keys** and other secrets on **public GitHub**. The letters presse...

Open Happening

GitHub data exposed after GitHub breach

Data Leak
First: 20.05.2026 11:14 Last: 20.05.2026 11:14 Sources 1

About this happening: GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...

Open Happening

GitHub internal repositories private-code leak claim

Data Leak
First: 20.05.2026 08:08 Last: 20.05.2026 08:08 Sources 1

About this happening: GitHub is facing a claimed leak of **internal repositories** after **TeamPCP** said it had access to about **4,000 private-code repos** and tried to sell samples. The alleged expo...

Latest development: 21.05.2026 17:45

A malicious version of Nx Console 18.95.0 was uploaded to Visual Studio Marketplace and Open VSX on May 18, fetched an obfuscated payload, and harvested secrets from ~/.vault-token, /etc/vault/token, .npmrc, ghp_/gho_/ghs_ tokens, AWS metadata, and other local sources; GitHub said the poisoned VS Code extension led to unauthorized access to about 3800 internal repositories.

Open Happening

Shai-Hulud public GitHub repository credential exposure

Data Leak
First: 18.05.2026 20:28 Last: 18.05.2026 20:28 Sources 1

About this happening: **Shai-Hulud** stole **developer credentials** that were later exposed in **public GitHub repositories**, turning a theft phase into a public leak of access data. The exposed mate...

Open Happening

Developer environments using KICS data exposed after Checkmarx breach

Data Leak
First: 23.04.2026 19:05 Last: 23.04.2026 19:05 Sources 1

About this happening: The compromised **Checkmarx KICS** toolchain was used to exfiltrate **GitHub tokens**, **cloud credentials**, and other secrets from developer environments, creating immediate acc...

Open Happening

Timeline

  1. 22.05.2026 19:34 1 articles · 5d ago

    Lawmakers demand answers over CISA Private-CISA leak

    Legal Policy Action Update

    On May 19, Sen. Maggie Hassan and Rep. Bennie Thompson, with Rep. Delia Ramirez co-signing Thompson’s letter, sent separate letters to CISA demanding answers about the Private-CISA GitHub leak and warning that the credential exposure raised serious concerns about CISA’s internal policies, contract support, and security culture.

    Show sources
    Open in new tab
  2. 18.05.2026 23:48 2 articles · 9d ago

    Private-CISA repository exposes CISA and DHS credentials

    Initial Disclosure

    A contractor-maintained public GitHub repository named Private-CISA was created and exposed CISA and DHS secrets, including AWS GovCloud administrative credentials, cloud keys, tokens, plaintext passwords, logs, and files showing how CISA builds, tests, and deploys software internally.

    Show sources
    Open in new tab
  3. 18.05.2026 23:48 1 articles · 9d ago

    Researchers validate Private-CISA credentials and CISA investigates

    Technical Analysis Update

    Researchers from GitGuardian and Seralys validated that the leaked AWS keys could authenticate to three AWS GovCloud accounts at a high privilege level, found plaintext credentials for CISA's internal artifactory and other systems, and CISA said it was investigating with no indication that sensitive data had been compromised. The repository was taken offline after notification, but the exposed AWS keys reportedly remained valid for another 48 hours.

    Show sources
    Open in new tab