CISA Contractor Exposed AWS GovCloud Keys in Public GitHub Repository

A contractor working for the Cybersecurity and Infrastructure Security Agency maintained a public GitHub repository that exposed credentials to AWS GovCloud accounts and internal CISA systems until May 2026, according to KrebsOnSecurity.

The exposed repository, named "Private-CISA," contained cloud keys, authentication tokens, plaintext passwords, log files, and other sensitive assets belonging to the federal cybersecurity agency. The contractor had disabled GitHub's default security setting that prevents users from publishing SSH keys and other secrets in public code repositories.

Scope of the Exposure

The leaked files included AWS-Workspace-Bookmarks-April-6-2026.html, AWS-Workspace-Firefox-Passwords.csv, Important AWS Tokens.txt, and kube-config.txt — a configuration file that provides access to Kubernetes clusters. The repository also contained plaintext credentials to CISA's internal artifactory repository, which houses code packages used to build software.

AWS GovCloud credentials represent particularly sensitive assets, as this isolated cloud environment serves federal agencies and contractors handling classified or sensitive government workloads. The service operates under stricter security controls and compliance frameworks than standard AWS regions, making credential exposure especially concerning for national security applications.

The kubernetes configuration file exposure compounds the security implications. Kube-config files contain cluster access information, authentication certificates, and endpoint details that could allow unauthorized access to containerized applications and infrastructure management systems.

Technical Control Failures

The exposure required multiple security control failures. GitHub's secret scanning feature, enabled by default, scans public repositories for known credential patterns and blocks commits containing sensitive data like API keys, tokens, and private keys. The contractor deliberately disabled this protection.

The repository's "Private-CISA" naming convention suggests awareness of the sensitive nature of the contents, making the public visibility particularly problematic. Standard secure development practices call for using environment variables, secret management services, or encrypted configuration files rather than committing credentials directly to version control.

Enterprise organizations typically enforce branch protection rules, mandatory code reviews, and automated security scanning to prevent such exposures. The failure suggests gaps in both technical controls and security awareness training for personnel with access to critical government infrastructure.

Historical Context and Patterns

This incident follows a familiar pattern of government credential exposures through developer platforms. In my three decades covering cybersecurity incidents, the most damaging breaches often stem from basic operational security failures rather than sophisticated attacks. The 2020 SolarWinds compromise, while more complex in execution, similarly exploited trusted infrastructure and credentials to access government systems.

The artifactory repository access represents a supply chain risk vector. These repositories often contain not just source code but build artifacts, dependencies, and deployment scripts that could provide attackers with detailed infrastructure knowledge or insertion points for malicious code.

Government Cloud Security Implications

Federal agencies increasingly rely on cloud infrastructure for both classified and unclassified workloads. AWS GovCloud, Azure Government, and similar FedRAMP-authorized cloud services form critical backbone infrastructure for government operations. Credential exposure at this level potentially affects multiple agencies and programs beyond CISA itself.

The timing of the exposure, continuing into May 2026, spans multiple fiscal years and potentially multiple contracts or personnel assignments. This duration suggests systematic rather than accidental publication, raising questions about oversight and monitoring of contractor activities.

Industry Response and Assessment

Security experts described the GitHub exposure as among the most egregious government data leaks in recent history. The assessment reflects both the sensitivity of the exposed systems and the fundamental nature of the security control failures involved.

The incident highlights persistent challenges in securing the government-contractor ecosystem. While agencies implement strict security requirements for their own personnel, contractor oversight often involves different processes and tools that may not provide equivalent protection.

Looking at the broader implications for federal cybersecurity, this exposure underscores the difficulty of maintaining security boundaries when critical infrastructure increasingly relies on commercial cloud platforms and third-party development services. The attack surface extends beyond traditional government networks to include developer workflows, cloud management interfaces, and the full software supply chain.

Remediation and Response

CISA has not publicly detailed its response timeline or remediation efforts. Standard incident response would typically include immediate credential rotation, forensic analysis to determine potential unauthorized access, and security control reviews to prevent recurrence.

The agency faces the additional challenge of assessing which systems and data may have been compromised without complete visibility into who accessed the public repository during its exposure period. GitHub's public repository access logs could provide some attribution, but determining the scope of potential compromise requires broader investigation.

For organizations using similar cloud infrastructure and development workflows, this incident reinforces the importance of automated secret scanning, regular security training, and clear policies governing the handling of cloud credentials and configuration data. The technical solutions exist; implementation and enforcement remain the persistent challenges.