CISA Contractor Leaks AWS GovCloud Keys and Internal System Credentials on Public GitHub Repo

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the nation's lead agency for cyber defense, is facing a significant security incident and congressional inquiry after a contractor exposed a trove of sensitive data on a public GitHub repository. The repository, ironically named "Private-CISA," contained plaintext credentials, including keys for AWS GovCloud accounts, SSH keys, and access tokens for internal CISA systems. The leak, discovered by researchers at GitGuardian, persisted for several months and appears to have been caused by a contractor using the public repository to synchronize work files. The incident highlights a critical failure in both operational security (OpSec) by the contractor and oversight by CISA, undermining the agency's credibility and creating a potential goldmine for nation-state adversaries.

Threat Overview

The incident was not a sophisticated hack but a case of gross negligence. A contractor with administrative access created a public GitHub repository in November 2025 to sync files between different computers. This repository contained 844 MB of highly sensitive data, including:

Plaintext credentials for three separate AWS GovCloud accounts.
SSH keys granting network access.
Access tokens for CISA's internal Artifactory instance, a repository for software build packages.
CI/CD build logs, Kubernetes manifests, and infrastructure-as-code files.
An RSA private key for a GitHub app with full access to CISA's repositories.

Researchers noted that the contractor seemed to have intentionally disabled GitHub's built-in secret scanning protections, exacerbating the risk. The leak was discovered on May 14, 2026, and the repository was taken down shortly after. However, the exposure of these credentials for months provides a large window of opportunity for malicious actors to have discovered and copied the data.

Technical Analysis

The root cause is a fundamental failure of data handling and security policy.

Attack Vector: Accidental exposure via a public source code repository. This is a common but highly dangerous mistake, categorized by MITRE as T1537 - Transfer Data to Cloud Account.
Exposed Assets: The leaked credentials provided potential access to the crown jewels of a cybersecurity agency's infrastructure. Access to AWS GovCloud could allow an attacker to disrupt systems, steal more data, or establish persistence. Access to Artifactory is particularly dangerous, as it could enable a supply chain attack by poisoning software packages used by CISA and other government agencies.
Attacker Opportunity: An adversary who discovered this repository could have easily cloned it, gaining all the secrets within minutes. The fact that a private key for a powerful GitHub app was not immediately invalidated post-discovery is a major concern.

MITRE ATT&CK Techniques

T1552.005 - Cloud Credentials: The incident involves the exposure of cloud credentials, which an attacker could use for subsequent access.
T1526 - Cloud Service Discovery: An attacker with the leaked credentials could perform reconnaissance within CISA's cloud environment.
T1195.002 - Compromise Software Supply Chain: Access to Artifactory could facilitate a devastating supply chain attack.
T1537 - Transfer Data to Cloud Account: This technique describes the action of moving data to a cloud account, which in this case was a public GitHub repository, making it an exfiltration/exposure vector.

Impact Assessment

While CISA claims no evidence of compromise, the potential impact is severe.

National Security Risk: The exposure of credentials for a top cybersecurity agency like CISA poses a direct risk to U.S. national security. Nation-state actors could leverage this access to conduct espionage, disrupt critical infrastructure monitoring, or launch further attacks against government systems.
Reputational Damage: For an agency whose mission is to lead national cybersecurity efforts, this incident is deeply embarrassing and damaging to its credibility. It undermines the trust that other government agencies and private sector partners place in CISA.
Operational Impact: CISA must now undertake a massive and costly effort to rotate every exposed credential, audit all related systems for signs of compromise, and overhaul its contractor security policies. The congressional inquiry will consume significant time and resources.

IOCs — Directly from Articles

The repository was named Private-CISA, but no URL or other specific IOCs were provided in the articles.

Cyber Observables — Hunting Hints

Security teams should proactively hunt for similar exposures:

Type

string_pattern

Value

AKIA[0-9A-Z]{16}

Description

Regular expression for AWS Access Key IDs, which should never be in public code.

Type

string_pattern

Value

-----BEGIN RSA PRIVATE KEY-----

Description

Header for an RSA private key. Its presence in a public repository is a critical finding.

Type

process_name

Value

git

Description

Monitor for git push commands containing large binary files or directories with names like .aws, .ssh, or credentials.

Type

log_source

Value

GitHub Audit Logs

Description

Review logs for repository creation, changes from public to private (or vice-versa), and alerts from secret scanning.

Type

url_pattern

Value

github.com/[company-name]*/

Description

Use automated tools to scan public GitHub for repositories accidentally created under personal accounts but containing company code or data.

Detection & Response

Detection: Implement automated secret scanning across all public and private code repositories. Services like GitGuardian or GitHub's own Advanced Security can detect leaked credentials in real-time. Monitor for the creation of new public repositories by employees or contractors that contain company-related keywords. D3FEND's D3-SFA - System File Analysis can be applied to code repositories to hunt for sensitive patterns.
Response: The immediate response to a leaked credential is to revoke it. This includes rotating API keys, invalidating tokens, and removing SSH keys from authorized lists. The system or account associated with the credential must be audited for any unauthorized access. In this case, a full audit of the affected AWS GovCloud accounts and Artifactory instance is non-negotiable.

Mitigation

Policy and Training: Enforce a strict policy that prohibits the use of public repositories for storing any internal code or data. All employees and contractors must receive regular training on secure coding practices and data handling.
Technical Controls: Block git push operations to public repositories from corporate networks unless explicitly authorized. Use Data Loss Prevention (DLP) tools to scan outbound traffic and code commits for sensitive patterns.
Vendor Management: Implement stringent security requirements for all contractors. This includes mandatory use of company-managed devices, prohibiting data transfer to personal machines, and regular audits of contractor activity.
Credential Management: Eliminate long-lived static credentials wherever possible. Use short-lived tokens and identity federation (e.g., IAM roles) for accessing cloud resources. This aligns with M1026 - Privileged Account Management.

In the context of the CISA leak, 'System File Analysis' must be extended beyond traditional endpoints to 'Code Repository Analysis'. This involves implementing automated, continuous scanning of public and private repositories associated with the organization and its employees. Tools like GitGuardian or TruffleHog should be integrated into the security workflow to act as a safety net. These tools use pattern matching to find secrets like AWS keys (AKIA...), SSH private keys (-----BEGIN RSA PRIVATE KEY-----), and API tokens. For CISA, a real-time alert from such a system upon the initial commit to the 'Private-CISA' repo would have enabled immediate response, reducing the exposure window from months to minutes. This proactive analysis is non-negotiable for any organization, especially one handling sensitive government data, to prevent human error from escalating into a major security incident.

Major Security Lapse at CISA: Contractor Exposes GovCloud Keys and Internal Credentials on Public GitHub Repository