Sovereign Secrets Exposed: Federal Contractor Leaks Critical CISA AWS GovCloud Keys on GitHub
Do Son 
The United States Cybersecurity and Infrastructure Security Agency (CISA) has found itself at the epicenter of a profound data exposure event. A third-party federal contractor maintained a publicly accessible GitHub repository containing an unencrypted archive populated with cryptographic keys, administrative passwords, and highly sensitive internal CISA documentation. According to security analysts, the exposure compromised administrative credentials tethered to high-privilege AWS GovCloud instances alongside dozens of the agency’s internal systems.
The exposed repository, transparently designated as Private-CISA, was isolated by GitGuardian, an automated secrets-detection platform engineered to identify exposed credentials within public source code. Guillaume Valadon, a senior researcher at GitGuardian, noted that the repository owner remained unresponsive to automated alerts, despite the exfiltrated telemetry displaying extreme sensitivity.
The exposed archive encapsulated cloud infrastructure keys, active session tokens, plaintext passwords, historical system logs, and proprietary operational materials belonging to both CISA and the Department of Homeland Security (DHS). Characterizing the incident as a egregious failure of foundational security hygiene, Valadon observed that the repository’s commit history explicitly revealed the administrator had manually deactivated GitHub’s native push-protection guardrails—mechanisms deliberately designed to block the accidental publication of SSH keys and adjacent secret tokens.
A specific file labeled importantAWStokens yielded full administrative credentials for three sovereign Amazon AWS GovCloud servers. Concurrently, a spreadsheet cataloged as AWS-Workspace-Firefox-Passwords.csv harbored the plaintext usernames and passwords for dozens of restricted CISA platforms. Conspicuous among these was the LZ-DSO node, an asset heavily implied to be intricately linked with the agency’s hardened software development perimeter.
Philippe Caturegli, the founder of the cybersecurity firm Seralys, parsed the exposed AWS keys exclusively to ascertain their validity and map their corresponding privilege boundaries. His forensics confirmed that the credentials granted unhindered, high-privilege administrative access to three distinct AWS GovCloud environments. Furthermore, the archive exposed credentials for CISA’s internal artifact repository—a centralized orchestration vault hosting custom software build packages. Security architects warn that such a repository represents a pinnacle target for supply-chain adversaries, as unauthorized access empowers threat actors to inject malicious subroutines directly into the software builds deployed across federal infrastructure.
Caturegli deduced that the repository functioned not as a structured, formal engineering workspace, but rather as an ad-hoc personal directory utilized to synchronize configuration files across heterogeneous physical endpoints. This hypothesis is supported by the simultaneous presence of an official CISA identity marker and a personal email address within the metadata.
CISA has formally acknowledged the exposure, asserting that a comprehensive internal forensic review is underway. A spokesperson for the agency stated that contemporary telemetry yields no indicators of active compromise or downstream exploitation stemming from the exposure. The organization pledged to implement heightened systemic controls to preclude subsequent configuration regressions.
According to investigative findings published by KrebsOnSecurity, the repository was maintained by an embedded engineer employed by Nightwing, a prominent defense and federal intelligence contractor. Nightwing declined to proffer administrative commentary, redirecting all media inquiries back to CISA. While the repository was abruptly purged following synchronized disclosures from KrebsOnSecurity and Seralys, Caturegli verified that the exposed AWS GovCloud credentials remained active and operational for an additional forty-eight hours post-notification.
CISA has remained silent regarding the precise temporal window of the exposure. However, historical repository telemetry harvested by Seralys indicates that Private-CISA was initialized on November 13, 2025, while the contractor’s GitHub identity profile had been actively staging code since September 2018.
The exposed dossiers further revealed a systemic reliance on weak, easily guessable password structures across select internal nodes; multiple credentials relied on primitive strings compounding the platform’s moniker with the current calendar year. Caturegli emphasized that such trivial practices introduce profound hazards independent of public web exposure, given that sophisticated adversaries routinely harvest localized, weak credentials to facilitate lateral movement and escalate privileges once an initial foothold is secured within an enterprise network.
This security failure presents an exceptionally poignant institutional irony for CISA, an agency explicitly mandated to safeguard the nation’s critical infrastructure and routinely tasking external organizations with correcting identical operational oversights. The crisis unfolds amidst severe institutional contraction; since the transition of the executive administration, CISA has bled approximately one-third of its total human capital due to an accumulation of accelerated retirements, structured buyouts, and sweeping federal workforce reductions.
Donate