CISA Exposes AWS GovCloud Credentials on Public Admin GitHub

Highly sensitive U.S. government cloud credentials are now publicly exposed, the result of a significant security lapse. A contractor working with the Cybersecurity and Infrastructure Security Agency (CISA) accidentally published these details in a public GitHub repository.

The repository, named “Private-CISA,” remained publicly accessible until mid-May 2026 and contained a wide range of sensitive data, including AWS GovCloud credentials, plaintext passwords, API tokens, and internal system details.

Security researchers warn that this incident could rank among the most serious government-related data exposures in recent years.

Guillaume Valadon, a researcher at GitGuardian, first identified the issue. This firm continuously scans public repositories for exposed secrets.

According to Valadon, the repository contained “extremely sensitive” information, and attempts to alert the owner went unanswered at first.

The findings were later shared with KrebsOnSecurity, prompting further investigation.

GovCloud Credentials Exposed

Analysis revealed that the repository included administrative credentials for at least three AWS GovCloud environments, specifically designed to handle sensitive U.S. government workloads.

In addition, a file named “AWS-Workspace-Firefox-Passwords.csv” exposed dozens of plaintext usernames and passwords tied to internal CISA systems, including a DevSecOps environment referred to as “LZ-DSO.”

Philippe Caturegli, founder of security consultancy Seralys, confirmed that some of the exposed AWS credentials were still valid at the time of discovery and provided high-level access.

He noted that the repository also contained credentials for CISA’s internal “artifactory,” a centralized system for storing and distributing software components.

This type of access could allow attackers to insert malicious code into software pipelines.

For example, if a threat actor compromised the artifactory, they could embed backdoors into legitimate software updates, potentially affecting multiple systems during deployment.

Researchers also highlighted poor security practices within the repository. Sensitive data was stored in plain text, and GitHub’s built-in secret scanning protections had been deliberately turned off.

Commit logs suggest the repository may have been used as a personal workspace or a file synchronization tool rather than as a secure development project.

“The patterns indicate this was likely used to sync files between different machines, possibly a work and home environment,” Caturegli explained. “But that doesn’t reduce the severity it actually makes it worse.”

KrebsOnSecurity reported that the exposed repository was linked to a contractor from Nightwing, a U.S.-based government services firm.

The account had been active since 2018, while the “Private-CISA” repository was created in November 2025.

Despite the repository being taken offline shortly after disclosure, the exposed AWS credentials reportedly remained valid for nearly 48 hours afterward, increasing the potential risk window.

CISA acknowledged the incident and stated that it is actively investigating. The agency noted there is currently no evidence of active exploitation but emphasized that additional safeguards are being implemented.

The exposure comes at a challenging time for CISA, which has reportedly lost a significant portion of its workforce due to budget cuts and restructuring.

Security experts warn that such operational pressures can increase the likelihood of misconfigurations and human error.

Overall, the incident underscores a critical lesson in cybersecurity: even highly sensitive environments can be compromised by basic mistakes such as poor credential management and unsafe development practices.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.