CISA contractor exposed AWS GovCloud root keys on public GitHub for six months
A Nightwing employee leaked administrative credentials to federal cybersecurity infrastructure, raising questions about secrets management practices as the agency operates at a third of its normal staffing.
A contractor working for the Cybersecurity and Infrastructure Security Agency exposed highly privileged AWS GovCloud credentials and internal system passwords in a public GitHub repository for six months, one of the most significant government data leaks in recent history.
GitGuardian researcher Guillaume Valadon discovered the exposure on 15 May 2026, finding a repository titled ‘Private-CISA’ that contained administrative keys to three AWS GovCloud servers, plaintext passwords to dozens of internal CISA systems, and access credentials to the agency’s secure code development environment. The repository, created by a Nightwing employee on 13 November 2025, remained public until its removal over the weekend of 17–18 May, per Krebs on Security.
The exposed files included ‘importantAWStokens’ containing GovCloud administrative credentials and ‘AWS-Workspace-Firefox-Passwords.csv’ listing plaintext usernames and passwords for internal CISA systems. Among the compromised infrastructure was ‘LZ-DSO’ (Landing Zone DevSecOps), the agency’s secure code development environment used to build and deploy Cybersecurity tools distributed across federal agencies, according to Gizmodo.
Systematic security failures
The leak exposed multiple layers of poor security hygiene. The contractor disabled GitHub’s default setting that blocks users from publishing SSH keys or other secrets in public repositories. Many credentials used easily-guessed passwords following a pattern of the platform name followed by the current year. Security researchers found evidence the contractor had been using the public GitHub repository to synchronize files between work and home computers since the repository’s creation.
“This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”
— Guillaume Valadon, researcher at GitGuardian
Philippe Caturegli, founder of security consultancy Seralys, told Krebs on Security that the compromised DevSecOps environment represented a critical supply chain vulnerability. “That would be a prime place to move laterally. Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right.”
AWS GovCloud operates as an isolated environment specifically designed for U.S. government workloads, carrying FedRAMP Moderate and DoD Cloud Security Model certifications. Root user credentials of the type exposed grant unrestricted access to all resources within the environment, per AWS documentation.
Staffing collapse as context
The incident coincides with significant operational strain at CISA. The agency has lost nearly a third of its workforce since the beginning of the second Trump administration and currently operates at a fraction of its normal budget and staffing levels. This contraction has increased reliance on contractors like Nightwing, a Dulles, Virginia-based firm, to maintain critical infrastructure.
CISA coordinates cybersecurity defence across federal civilian agencies and provides threat intelligence to critical infrastructure operators. The agency’s DevSecOps environment is used to develop and deploy security tools that flow downstream to agencies across the federal government. A compromise at this level could enable supply chain attacks affecting multiple federal systems.
The exposed credentials remained valid for 48 hours after the repository was taken down, extending the window for potential exploitation. CISA issued a statement claiming “there is no indication that any sensitive data was compromised as a result of this incident,” though the agency did not detail what forensic analysis supported this conclusion or whether all potentially exposed systems had been audited.
Contractor accountability gaps
Nightwing, formed in 2023 as a spinoff of Raytheon’s intelligence and cyber operations, maintains contracts across multiple federal agencies. The contractor’s use of a public repository for internal credential storage represents a fundamental violation of government security protocols, yet the incident raises questions about oversight mechanisms for verifying contractor compliance with security standards.
- Root AWS GovCloud credentials granting full environment access
- Plaintext passwords to internal CISA systems
- Access to secure code development infrastructure used across federal agencies
- Disabled GitHub security features that would have prevented public exposure
- Pattern of poor password hygiene suggesting systemic rather than isolated failure
The use of GitHub for synchronizing work materials between corporate and personal devices, as security researchers suspect, points to inadequate endpoint management and data loss prevention controls. For a contractor working with one of the federal government’s most security-sensitive agencies, such practices represent a significant deviation from expected security posture.
What to watch
CISA has not disclosed whether it will conduct a comprehensive audit of contractor access practices or implement additional controls around secrets management. The incident will likely accelerate calls for automated secrets scanning and zero-trust architecture across federal systems, though implementation faces headwinds from budget constraints and staffing reductions.
The question of whether foreign intelligence services or other adversaries accessed the exposed credentials during the six-month window remains unanswered. AWS GovCloud activity logs should reveal whether unauthorized access occurred, though CISA has not indicated plans to publish forensic findings. Federal agencies relying on CISA-developed security tools deployed from the compromised DevSecOps environment face an uncomfortable risk calculation: whether to assume supply chain integrity or initiate costly audits of deployed systems.
Congressional oversight committees will need to examine whether CISA’s workforce reductions contributed to lax contractor oversight and whether current contractor vetting processes are adequate for personnel with access to root credentials on federal infrastructure. The incident demonstrates that secrets management failures at the contractor level can compromise the security foundation of the entire federal cybersecurity apparatus.