Technology · · 7 min read

CISA Exposed AWS Keys and Plaintext Passwords on GitHub for Six Months

America's cybersecurity agency left 844 MB of sensitive credentials in a public repository while its workforce shrank by a third and leadership remained vacant.

B
based.technology
Technology

The Cybersecurity and Infrastructure Security Agency left administrative credentials for federal cloud infrastructure exposed in a public GitHub repository for six months, creating attack surface for adversaries during a period of severe institutional decline. A contractor-maintained repository named ‘Private-CISA’ sat openly accessible from 13 November 2025 until security researcher Guillaume Valadon discovered it on 14 May 2026.

Exposure Timeline
Repository Created13 Nov 2025
Discovery Date14 May 2026
Exposure Window182 days
Data Volume844 MB

The repository contained administrative access credentials for three AWS GovCloud accounts, plaintext passwords for dozens of internal CISA systems stored in a file literally named ‘AWS-Workspace-Firefox-Passwords.csv’, API tokens, SSH keys, and CI/CD logs, according to Krebs on Security. The contractor who created the repository deliberately disabled GitHub’s default secret-scanning protection—a feature designed to block exactly this type of credential exposure.

“Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature. I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career.”

— Guillaume Valadon, Security Researcher, GitGuardian

Operational Security Collapse

The exposure reveals catastrophic failures in basic security hygiene at the agency charged with protecting America’s critical infrastructure. According to reporting, the repository was taken offline within 26 hours of discovery on 15 May, but the exposed AWS keys remained valid for an additional 48 hours—a credential rotation delay that extended the attack window even after CISA knew about the breach.

The repository’s contents exposed attack vectors across CISA’s technology stack. Files included Kubernetes manifests, GitHub tokens, IAM configuration data, and detailed CI/CD logs that mapped internal build processes, per Dark Reading. Philippe Caturegli, founder of security consultancy Seralys, told Tech Marketer the exposure created opportunities for supply chain compromise: “That would be a prime place to move laterally. Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right.”

Context

CISA operates a programme called Secret Sprawl that advises other federal agencies and private sector organisations on credential hygiene and secrets management. The agency’s own security practices now appear to fall dramatically short of the standards it promotes externally.

The repository was maintained by Nightwing, a CISA contractor, but commit metadata shows mixed identity patterns—some commits used the contractor’s official email address while others used a personal Yahoo email account, according to The Register. This suggests either poor access control or personal credential usage in Government contractor work.

Institutional Strain

The breach occurred during a period of severe organisational disruption at CISA. The agency has been without a permanent director since 20 January 2025, when Jen Easterly stepped down ahead of the Trump administration’s start. In the 16 months since, CISA’s workforce has shrunk from approximately 3,400 to 2,400 employees—a one-third reduction driven by cuts, furloughs, and layoffs, according to TechCrunch.

20 Jan 2025
Leadership Vacuum Begins
Director Jen Easterly departs; no permanent replacement named
13 Nov 2025
Exposure Window Opens
Contractor creates ‘Private-CISA’ public repository with credentials
14 May 2026
Breach Discovery
GitGuardian researcher finds exposed repository after six months
20 May 2026
Congressional Scrutiny
Senator Hassan requests classified briefing on incident

Acting director Nick Andersen now faces congressional scrutiny. Senator Maggie Hassan (D-NH) requested an “urgent” classified briefing on the exposure on 20 May, stating in a letter that the incident “raises serious concerns regarding CISA’s internal policies and procedures at a time of significant Cybersecurity threats against U.S. critical infrastructure,” per Axios.

CISA spokesperson Marco DiSandro told TechCrunch that “currently, there is no indication that any sensitive data was compromised as a result of this incident.” That statement, issued before any forensic investigation could plausibly reconstruct six months of potential access by unknown parties, offers little assurance.

GovCloud Implications

The exposure of AWS GovCloud credentials carries particular significance. GovCloud regions are isolated AWS infrastructure designed specifically for sensitive government workloads, with enhanced security controls and compliance certifications. Administrative access to three such accounts would provide adversaries with visibility into federal systems and potentially enable lateral movement across connected infrastructure.

The irony is acute: CISA’s mandate includes advising federal agencies on Cloud Security and credential management through programmes like Secret Sprawl. The agency that tells others how to secure their credentials left its own exposed using basic security anti-patterns—plaintext passwords, disabled protections, obvious file naming—that would fail any competent security audit.

Key Takeaways
  • Six-month exposure window (November 2025 to May 2026) gave potential adversaries extended access to federal cloud credentials
  • Contractor deliberately disabled GitHub’s built-in secret detection, bypassing default protections
  • Credential rotation lagged 48 hours after repository takedown, extending vulnerability window
  • One-third workforce reduction and 16-month leadership vacuum coincide with catastrophic operational security failure
  • Congressional oversight now examining whether CISA can fulfill its critical infrastructure protection mission

What to Watch

CISA has not publicly disclosed whether forensic analysis found evidence of credential use by unauthorised parties during the six-month window. Any such investigation faces significant challenges: AWS CloudTrail logs typically retain only 90 days of API activity by default, meaning the first three months of potential exposure may have no audit trail.

The congressional briefing requested by Senator Hassan will test whether CISA can account for the scope of potential compromise and explain the systemic failures that allowed a contractor to publish sensitive credentials with basic protections disabled. The answers will determine whether the agency’s operational security collapse is seen as an isolated incident or evidence of deeper institutional dysfunction.

The credential exposure also raises questions about third-party risk management across federal agencies. If a CISA contractor could publish government cloud keys to the open internet for six months without detection, similar exposures may exist elsewhere in the federal technology supply chain. Other agencies now face pressure to audit their own contractor access controls and GitHub repository configurations.

For adversaries targeting US infrastructure, the incident provides a roadmap: federal contractor repositories, inadequate monitoring of public code platforms, and extended windows between exposure and detection. Whether this breach was exploited may never be conclusively determined, but the attack surface it created was real, documented, and available to anyone who looked.

Sources
Krebs on Security
TechCrunch
Axios
Crypto Briefing
The Register
Tech Marketer
Dark Reading
Martin Cid Magazine
AWS CISA Cloud Security Cybersecurity Data Breach GitHub Government
The Wire Daily

Get the day’s most important stories in technology, geopolitics, and macroeconomics — delivered every morning.

Subscribe Free →