Skip to main content
Emerging ThreatsData Breaches

CISA Contractor Exposes AWS GovCloud Keys in GitHub Leak

Empty computer workstation with laptop and papers in a neutral office setting, hint of coding workspace in background.

“Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Guillaume Valadon wrote after inspecting the repository. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career.”

Scope of the leak: keys, plaintext passwords and build artifacts

The public GitHub repository named “Private-CISA,” maintained until recently by a contractor for the Cybersecurity & Infrastructure Security Agency (CISA), exposed credentials and internal files tied to highly privileged AWS GovCloud accounts and numerous internal CISA systems. Files captured in the archive included an item titled “importantAWStokens” containing administrative credentials to three Amazon AWS GovCloud servers, and “AWS-Workspace-Firefox-Passwords.csv,” which listed plaintext usernames and passwords for dozens of internal CISA systems.

Security consultant Philippe Caturegli reported that the archive also contained plain text credentials to CISA’s internal “artifactory” — a repository of code packages used to build software — and referenced an internal environment called “LZ-DSO,” which appears short for “Landing Zone DevSecOps.” Caturegli noted the presence of logs, tokens, SSH keys and other sensitive assets throughout the repository.

  • Administrative AWS GovCloud credentials (three accounts)
  • Plaintext usernames and passwords for dozens of internal systems
  • Credentials for internal artifactory and references to “LZ-DSO”
  • Commit history showing explicit commands to disable GitHub secrets detection

How the exposure was discovered and validated

KrebsOnSecurity said it was alerted on May 15 by Guillaume Valadon, a researcher with the security firm GitGuardian, which continuously scans public code repositories for exposed secrets. Valadon told KrebsOnSecurity he reached out because the repository owner wasn’t responding and the data appeared highly sensitive.

Philippe Caturegli of the security consultancy Seralys said he tested the exposed AWS keys only to confirm whether they remained valid and to determine the scope of access. Caturegli reported that the credentials could authenticate to three AWS GovCloud accounts at a high privilege level and that some passwords used an easily-guessed pattern of platform name plus the current year.

Nightwing contractor, repository timeline, and remediation steps taken

Review of the account that hosted the Private-CISA repository showed it was maintained by an employee of Nightwing, a government contractor based in Dulles, Va.; Nightwing declined to comment and directed inquiries to CISA. KrebsOnSecurity reported that the contractor’s GitHub account had been created in September 2018 and that the Private-CISA repository itself was created on November 13, 2025.

After notification by KrebsOnSecurity and Seralys, the GitHub account and the Private-CISA repository were taken offline. Caturegli, however, said the exposed AWS keys inexplicably remained valid for another 48 hours after the account was removed.

CISA’s response and agency operating context

A CISA spokesperson told KrebsOnSecurity the agency is aware of the reported exposure and is continuing to investigate. “Currently, there is no indication that any sensitive data was compromised as a result of this incident,” the spokesperson said, adding that the agency is “working to ensure additional safeguards are implemented to prevent future occurrences.”

The reporting also notes CISA’s current operating environment: the agency is “operating with only a fraction of its normal budget and staffing levels” and has “lost nearly a third of its workforce since the beginning of the second Trump administration,” a set of losses the article says “forced a series of early retirements, buyouts, and resignations across the agency’s various divisions.”

What this means for technologists, policymakers, and adversaries

  • Technologists and security teams: The exposure demonstrates how sensitive build and deployment artifacts — artifactory credentials, deployment tokens, and plaintext password stores — can permit lateral movement and supply-chain compromise if leaked. Caturegli warned that an artifactory with write access could be a “prime place to move laterally” or to plant backdoors that propagate when packages are built and deployed.
  • Policymakers and procurement leaders: The incident highlights the operational risk tied to contractor operations and account hygiene, including the disabling of preventive GitHub controls and use of weak, predictable passwords. CISA’s stated steps to implement additional safeguards will be viewed through the prism of the agency’s reduced budget and staffing levels described in the reporting.
  • Adversaries and threat actors: The combination of high-privilege AWS GovCloud credentials, build-repository access, and plaintext credentials increases opportunities for persistent footholds and broad lateral access if actors can exploit the artifacts before revocation.

Two concrete facts remain central as the investigation continues: CISA says there is currently no indication of compromise, and some exposed AWS keys remained active for roughly 48 hours after the account was taken offline. That mismatch — rapid public removal of the repository but delayed credential revocation — is the immediate operational question CISA’s investigation will need to answer.

Original reporting: KrebsOnSecurity, “CISA Admin Leaked AWS GovCloud Keys on Github”