CISA GovCloud Administrative Keys and DevSecOps Secrets Exposed in Public GitHub Repo

A CISA contractor compromised administrative credentials for AWS GovCloud accounts, internal DevSecOps environments, and software registries via a public GitHub repository. Security researchers verified that the leaked AWS keys remained active for 48 hours after the public repository was taken offline.

Compromised Infrastructure and Assets

A public GitHub repository named "Private-CISA," maintained by an employee of government contractor Nightwing, exposed highly privileged credentials for CISA's cloud and software deployment infrastructure. Security researchers Guillaume Valadon of GitGuardian and Philippe Caturegli of Seralys discovered and analyzed the repository.

• Administrative credentials for three Amazon AWS GovCloud servers, stored in a file titled "importantAWStokens."
• Plaintext credentials for CISA's internal Artifactory instance, the central repository for code packages used to compile and deploy the agency’s software.
• A file named "AWS-Workspace-Firefox-Passwords.csv" containing plaintext usernames and passwords for dozens of internal CISA systems.
• Administrative access to "LZ-DSO" (Landing Zone DevSecOps), CISA’s secure code development environment.

Access to the Artifactory server represents a severe supply chain threat. A malicious actor with write access could insert persistent backdoors into codebase packages, facilitating lateral movement across all systems deploying newly built CISA software.

Mechanics of the Leak and SecOps Failures

Git metadata indicates the repository was created on November 13, 2025. It appears the contractor utilized the public repository as a synchronization scratchpad to move files between a CISA-associated work laptop and a home computer, committing changes using both professional and personal email addresses.

To push these files, the operator explicitly disabled GitHub’s default secret detection engine, which is designed to block commits containing SSH keys and API tokens. The repository's commit logs contained explicit commands bypassing this guardrail. Additional anti-patterns included committing raw database backups directly to the repository and storing passwords in plain text CSV files. The exposed files also revealed weak password complexity practices; multiple internal platforms used credentials consisting of the target platform's name appended with the current year.

Incident Response and Organizational Context

The GitHub account hosting the repository was established in September 2018 and was taken offline shortly after GitGuardian and Seralys notified CISA. However, despite the deletion of the public repository, the exposed AWS GovCloud keys remained active and valid for an additional 48 hours before being revoked.

CISA stated that an investigation is ongoing and that there is currently no indication that sensitive data was compromised as a result of the exposure.

The incident occurs amid significant resource constraints at CISA. The agency is currently operating with a depleted budget and has lost nearly one-third of its total workforce since the start of the second Trump administration due to buyouts, early retirements, and resignations.