CISA Contractor Exposed AWS GovCloud Credentials for Six Months, Triggering Congressional Inquiry
A federal contractor's public GitHub repository leaked administrative credentials and internal system documentation, exposing critical infrastructure protection gaps amid agency workforce reductions.
A contractor working for the Cybersecurity and Infrastructure Security Agency left highly privileged AWS GovCloud credentials, plaintext passwords, and sensitive infrastructure documentation exposed in a public GitHub repository for six months, prompting urgent congressional oversight requests and raising fundamental questions about federal third-party risk management.
The Private-CISA repository remained publicly accessible from November 13, 2025 until May 15-16, 2026, exposing 844 MB of data including administrative credentials for three AWS GovCloud environments, according to CSO Online. The contractor, linked to Nightwing government services, deliberately disabled GitHub’s built-in secret-scanning protection—a feature designed to block credential uploads—based on evidence documented in commit logs.
The exposed files included a CSV file containing plaintext passwords (AWS-Workspace-Firefox-Passwords.csv), credentials to CISA’s Landing Zone DevSecOps environment, and access to an internal artifactory repository used in software build pipelines. More concerning, the credentials remained valid for 48 hours after the repository was taken offline, creating an extended window for potential exploitation by nation-state actors, per KrebsOnSecurity.
Congressional Pressure Mounts
Rep. Bennie Thompson (D-MS), Ranking Member of the House Homeland Security Committee, and Rep. Delia Ramirez (D-IL), Ranking Member of the Cyber Subcommittee, formally requested a briefing on May 20, 2026, explicitly linking the breach to organizational capacity failures. Their letter stated that “a substantially reduced workforce, coupled with the administration’s indifference to security, created the conditions that allowed such a significant security lapse to occur,” according to Nextgov.
Sen. Maggie Hassan (D-NH) separately requested an urgent classified briefing from Acting CISA Director Nick Andersen before June 5, 2026, noting that “this reported incident raises serious questions about how such a security lapse could occur at the very agency charged with helping to prevent cyber breaches.” The Senate request, delivered May 19-20, demands details on CISA’s internal policies and procedures, as reported by Axios.
“Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature. It’s the worst leak that I’ve witnessed in my career.”
— Guillaume Valadon, Researcher, GitGuardian
Contractor Vetting Gaps Surface
The incident exposes fundamental weaknesses in federal third-party risk management frameworks. While the General Services Administration introduced mandatory Controlled Unclassified Information compliance requirements on January 5, 2026—requiring all federal contractors to implement NIST SP 800-171 controls—the framework contains no mechanism for preventing individual developers from committing secrets to personal GitHub accounts, according to Holland & Knight.
The contractor’s decision to disable GitHub’s secret-scanning feature represents a deliberate circumvention of technical safeguards. Security researcher Guillaume Valadon of GitGuardian, who discovered the exposure, characterized it as “the worst leak that I’ve witnessed in my career,” noting the potential for state actors to gain persistence and conduct supply-chain attacks.
Agency Under Pressure
The breach occurred as CISA lost approximately one-third of its workforce since January 2025—from roughly 3,400 to 2,400 employees—through voluntary buyouts, early retirements, and resignations under budget pressure, according to Axios. Thompson and Ramirez explicitly cited these workforce reductions as contributing factors in their briefing request, arguing the incident “undermines CISA’s credibility.”
CISA released a statement indicating “no current indication that any sensitive data was compromised,” but acknowledged that access log analysis and forensic reconstruction remain incomplete. The agency’s reduced operational capacity raises questions about its ability to conduct comprehensive breach assessments while maintaining core infrastructure protection missions.
Robert Enderle of the Enderle Group told CSO Online that “leaving credentials exposed in a public GitHub repository is akin to leaving the master keys to the nation’s cyber defenses on a public park bench.” Had the credentials been leveraged by nation-state actors, it “could have facilitated a massive supply chain attack or deep infiltration into critical government systems.”
Nightwing, the contractor linked to the exposure, settled a Justice Department investigation in 2025 for $8.4 million over cybersecurity compliance failures on separate federal contracts. The firm provides cloud infrastructure and DevSecOps services to multiple federal agencies, according to Biometric Update. The settlement predates the GitHub exposure by several months, raising questions about contractor oversight continuity.
Legislative Response Taking Shape
The congressional requests signal potential legislative action on federal contractor cybersecurity standards. Current frameworks—including FAR 52.204-21 and NIST SP 800-171—establish baseline security requirements but lack technical enforcement mechanisms for individual developer behavior. The GSA’s January 2026 CUI requirements represent the most recent attempt to strengthen contractor compliance, but implementation remains uneven across agencies.
Philippe Caturegli, founder of Seralys cybersecurity consultancy, told KrebsOnSecurity that the incident carries special significance because “it’s CISA”—the agency responsible for coordinating federal cybersecurity policy and providing technical assistance to other agencies. The exposure undermines the agency’s authority to enforce security standards it failed to maintain internally.
CyberScoop notes the incident follows a pattern of recent CISA security lapses, including a ChatGPT data breach in 2024 and unauthorized access to a chemical plant security tool, raising questions about systemic governance failures rather than isolated incidents.
What to Watch
Congressional classified briefings scheduled before June 5 will determine whether legislative action targets contractor vetting standards, CISA’s operational capacity, or both. The House Homeland Security Committee’s explicit linkage of the breach to workforce reductions positions the incident as a test case for administration cybersecurity policy.
Federal agencies face immediate pressure to audit contractor GitHub access and implement technical controls preventing personal repository use for government work. The GSA CUI framework, effective since January, may face accelerated enforcement or expansion to include developer-level activity monitoring.
Forensic analysis of AWS access logs remains incomplete. If evidence emerges of unauthorized access during the six-month exposure window, particularly from nation-state IP ranges, the incident escalates from governance failure to active compromise with potential supply-chain implications across federal infrastructure.