Major Security Lapse at CISA: Contractor Exposes GovCloud Keys and Internal Credentials on Public GitHub Repository

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the nation's lead agency for cyber defense, is facing a significant security incident and congressional inquiry after a contractor exposed a trove of sensitive data on a public GitHub repository. The repository, ironically named "Private-CISA," contained plaintext credentials, including keys for AWS GovCloud accounts, SSH keys, and access tokens for internal CISA systems. The leak, discovered by researchers at GitGuardian, persisted for several months and appears to have been caused by a contractor using the public repository to synchronize work files. The incident highlights a critical failure in both operational security (OpSec) by the contractor and oversight by CISA, undermining the agency's credibility and creating a potential goldmine for nation-state adversaries.

Threat Overview

The incident was not a sophisticated hack but a case of gross negligence. A contractor with administrative access created a public GitHub repository in November 2025 to sync files between different computers. This repository contained 844 MB of highly sensitive data, including:

• Plaintext credentials for three separate AWS GovCloud accounts.
• SSH keys granting network access.
• Access tokens for CISA's internal Artifactory instance, a repository for software build packages.
• CI/CD build logs, Kubernetes manifests, and infrastructure-as-code files.
• An RSA private key for a GitHub app with full access to CISA's repositories.

Researchers noted that the contractor seemed to have intentionally disabled GitHub's built-in secret scanning protections, exacerbating the risk. The leak was discovered on May 14, 2026, and the repository was taken down shortly after. However, the exposure of these credentials for months provides a large window of opportunity for malicious actors to have discovered and copied the data.

Technical Analysis

The root cause is a fundamental failure of data handling and security policy.

• Attack Vector: Accidental exposure via a public source code repository. This is a common but highly dangerous mistake, categorized by MITRE as T1537 - Transfer Data to Cloud Account.
• Exposed Assets: The leaked credentials provided potential access to the crown jewels of a cybersecurity agency's infrastructure. Access to AWS GovCloud could allow an attacker to disrupt systems, steal more data, or establish persistence. Access to Artifactory is particularly dangerous, as it could enable a supply chain attack by poisoning software packages used by CISA and other government agencies.
• Attacker Opportunity: An adversary who discovered this repository could have easily cloned it, gaining all the secrets within minutes. The fact that a private key for a powerful GitHub app was not immediately invalidated post-discovery is a major concern.

MITRE ATT&CK Techniques

• T1552.005 - Cloud Credentials: The incident involves the exposure of cloud credentials, which an attacker could use for subsequent access.
• T1526 - Cloud Service Discovery: An attacker with the leaked credentials could perform reconnaissance within CISA's cloud environment.
• T1195.002 - Compromise Software Supply Chain: Access to Artifactory could facilitate a devastating supply chain attack.
• T1537 - Transfer Data to Cloud Account: This technique describes the action of moving data to a cloud account, which in this case was a public GitHub repository, making it an exfiltration/exposure vector.

Impact Assessment

While CISA claims no evidence of compromise, the potential impact is severe.

• National Security Risk: The exposure of credentials for a top cybersecurity agency like CISA poses a direct risk to U.S. national security. Nation-state actors could leverage this access to conduct espionage, disrupt critical infrastructure monitoring, or launch further attacks against government systems.
• Reputational Damage: For an agency whose mission is to lead national cybersecurity efforts, this incident is deeply embarrassing and damaging to its credibility. It undermines the trust that other government agencies and private sector partners place in CISA.
• Operational Impact: CISA must now undertake a massive and costly effort to rotate every exposed credential, audit all related systems for signs of compromise, and overhaul its contractor security policies. The congressional inquiry will consume significant time and resources.

IOCs — Directly from Articles

The repository was named Private-CISA, but no URL or other specific IOCs were provided in the articles.

Cyber Observables — Hunting Hints

Security teams should proactively hunt for similar exposures:

Detection & Response

• Detection: Implement automated secret scanning across all public and private code repositories. Services like GitGuardian or GitHub's own Advanced Security can detect leaked credentials in real-time. Monitor for the creation of new public repositories by employees or contractors that contain company-related keywords. D3FEND's D3-SFA - System File Analysis can be applied to code repositories to hunt for sensitive patterns.
• Response: The immediate response to a leaked credential is to revoke it. This includes rotating API keys, invalidating tokens, and removing SSH keys from authorized lists. The system or account associated with the credential must be audited for any unauthorized access. In this case, a full audit of the affected AWS GovCloud accounts and Artifactory instance is non-negotiable.

Mitigation

• Policy and Training: Enforce a strict policy that prohibits the use of public repositories for storing any internal code or data. All employees and contractors must receive regular training on secure coding practices and data handling.
• Technical Controls: Block git push operations to public repositories from corporate networks unless explicitly authorized. Use Data Loss Prevention (DLP) tools to scan outbound traffic and code commits for sensitive patterns.
• Vendor Management: Implement stringent security requirements for all contractors. This includes mandatory use of company-managed devices, prohibiting data transfer to personal machines, and regular audits of contractor activity.
• Credential Management: Eliminate long-lived static credentials wherever possible. Use short-lived tokens and identity federation (e.g., IAM roles) for accessing cloud resources. This aligns with M1026 - Privileged Account Management.