🕒 4 min read
A CISA contractor inadvertently exposed highly sensitive AWS GovCloud credentials and internal system details to the public through a GitHub repository, raising concerns over the exposure of sensitive government infrastructure credentials.
A Major Breach in Plain Sight
The exposure of CISA credentials began with a routine scan by GitGuardian, a security firm specializing in detecting leaked secrets in public code repositories. Guillaume Valadon, a researcher at the company, flagged a GitHub repository named “Private-CISA” that contained a vast trove of internal CISA/DHS credentials, cloud keys, and other sensitive assets. The repository, which was later taken down, reportedly included files detailing how CISA builds, tests, and deploys software internally. This level of exposure is rare and alarming, as it provides attackers with a roadmap to infiltrate critical infrastructure systems.
Valadon’s initial skepticism turned to concern after analyzing the repository’s contents. He noted that the commit logs revealed the CISA administrator had disabled GitHub’s default setting that blocks users from publishing SSH keys or other secrets in public repositories. This oversight, combined with the presence of plaintext passwords stored in a CSV file, created a textbook example of poor security hygiene. “I honestly believed that it was all fake before analyzing the content deeper,” Valadon wrote in an email. “This is indeed the worst leak that I’ve witnessed in my career.”
The breach highlights a critical gap in how organizations handle sensitive data. While GitHub and other platforms offer automated tools to detect and block leaks, the CISA administrator’s actions suggest a lack of awareness or enforcement of these safeguards. This raises serious concerns about whether similar vulnerabilities exist in other government agencies or private sector entities.
The Scope of the Exposed Data
Among the most alarming files in the “Private-CISA” repository was one titled “importantAWStokens,” which contained administrative credentials for three Amazon AWS GovCloud servers. These credentials grant high-level access to secure cloud environments used by federal agencies for handling sensitive data. Another file, “AWS-Workspace-Firefox-Passwords.csv,” listed plaintext usernames and passwords for dozens of internal CISA systems, including one called “LZ-DSO,” which appears to be the agency’s secure code development environment.
Philippe Caturegli, founder of the security consultancy Seralys, confirmed that the exposed AWS keys were still valid and could authenticate to three AWS GovCloud accounts at a high privilege level. He warned that the breach could allow attackers to access CISA’s internal “artifactory,” a repository of code packages used to build software. This would be a prime target for malicious actors seeking to implant backdoors into CISA systems. “Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right,” Caturegli said.
The exposure of such credentials is particularly dangerous because it could enable attackers to move laterally within CISA networks, compromising not only the agency’s internal systems but also any external systems that rely on CISA’s infrastructure. This incident underscores the need for stricter access controls and continuous monitoring of code repositories to prevent similar breaches in the future.
The Human Factor Behind the Leak
While the technical aspects of the breach are concerning, the human element behind the leak is equally troubling. Caturegli observed that the GitHub repository used both a CISA-associated email address and a personal email address, suggesting that the repository may have been used across differently configured environments. This pattern indicates that the repository was likely used as a working scratchpad or synchronization mechanism rather than a curated project repository.
The use of multiple email addresses complicates the investigation, as it makes it harder to determine which endpoint or device was used to push the data to GitHub. However, the presence of both personal and official credentials in the same repository suggests a lack of separation between personal and professional workflows. This blurring of boundaries increases the risk of accidental leaks, especially when sensitive data is involved.
Security experts emphasize that while individual mistakes can lead to breaches, the lack of institutional safeguards exacerbates the problem. Organizations must ensure that employees are trained to recognize and avoid common security pitfalls, such as storing credentials in plaintext or disabling automated security tools. The CISA incident serves as a stark reminder that even the most advanced security measures are only as strong as the people who implement them.
Sources This article was compiled from official announcements by CISA, research published by GitGuardian, and analysis provided by Seralys. Information was also drawn from KrebsOnSecurity’s coverage of the incident and statements from security experts involved in the investigation.
Related reading: For more context, see Inside Claude Opus 4.7: 1M Context and Adaptive Thinking and CastMind: The AI That Checks Its Own Predictions.
