CISA Contractor Exposed AWS GovCloud Keys on Public GitHub Repository
In what security experts are calling one of the most egregious government data leaks in recent history, a contractor working for the Cybersecurity and Infrastructure Security Agency (CISA) maintained a publicly accessible GitHub repository that exposed credentials for several highly privileged AWS GovCloud accounts, along with access details for a large number of internal CISA systems. The repository remained publicly visible until the weekend of May 17–18, 2026, when it was finally taken down following intervention by external security researchers.
The incident raises serious questions about the security practices of contractors who work with sensitive government infrastructure — and about how well federal agencies monitor their own supply chains for credential hygiene and secret management failures.
How the Leak Was Discovered
The exposure came to light on May 15, when Guillaume Valadon, a researcher at the security firm GitGuardian, contacted journalist Brian Krebs of KrebsOnSecurity. GitGuardian operates a continuous scanning platform that monitors public code repositories on GitHub and other platforms for exposed secrets such as API keys, passwords, and cloud credentials. When the platform detects a sensitive exposure, it automatically alerts the account owner responsible.
In this case, however, the contractor whose account hosted the repository was not responding to GitGuardian's automated alerts. Given the extreme sensitivity of the exposed data — government cloud infrastructure credentials and internal system access details — Valadon decided to escalate by reaching out directly to the press, hoping the public attention would force a faster remediation response.
The repository, which was described internally as the "Private CISA" repo, contained files detailing how CISA builds, tests, and deploys software across its internal environments. These are the kinds of operational blueprints that a malicious actor could use to map out an agency's entire development and deployment infrastructure, identify vulnerabilities, and potentially gain unauthorized access to live government systems.
What Was Actually Exposed?
According to reports and security expert analysis of the repository before it was taken down, the leaked data included:
- AWS GovCloud access keys — credentials tied to highly privileged accounts in Amazon's government-specific cloud environment, which is used to host sensitive federal workloads and data.
- Internal CISA system credentials — usernames, passwords, and authentication tokens granting access to a wide array of internal agency systems.
- CI/CD pipeline configurations — documentation and scripts revealing how CISA builds, tests, and deploys its internal software, effectively exposing the agency's software development lifecycle in detail.
- Infrastructure-as-code files — scripts and templates that define cloud environments, potentially allowing a threat actor to replicate or manipulate CISA's cloud architecture.
AWS GovCloud is a specialized Amazon Web Services region designed specifically for U.S. government agencies. It is used to store and process data subject to strict regulatory requirements, including controlled unclassified information (CUI). Exposure of privileged credentials for such an environment is not a routine security incident — it represents a potentially catastrophic breach of access control for systems that may house sensitive government data.
Why This Is So Alarming
To understand the severity of this incident, it helps to understand the role CISA plays in the broader federal cybersecurity landscape. CISA is the nation's primary civilian cybersecurity agency. It is responsible for protecting critical infrastructure, coordinating the federal government's cyber defenses, and issuing guidance to both public and private sector organizations on how to secure their systems. The agency literally writes the playbook on preventing exactly this kind of credentials exposure.
The irony of CISA — the agency that warns others about hardcoded secrets, poor secret management, and insecure software development practices — suffering a major credential leak from a contractor's public GitHub repository is not lost on the security community. It underscores a persistent and frustrating reality in cybersecurity: even organizations with deep knowledge of the threat landscape can fall victim to elementary security failures, especially when those failures occur in the contractor ecosystem rather than inside the agency's own walls.
Security researchers who reviewed the repository before its removal described the exposure as one of the worst government-related data leaks they had seen, noting that the combination of privileged cloud credentials and detailed internal architecture documentation gave potential attackers a comprehensive roadmap into CISA's infrastructure.
The Contractor Supply Chain Problem
This incident is a stark reminder of the risks posed by third-party contractors in government and enterprise environments. Agencies often grant contractors access to sensitive systems, cloud environments, and internal tooling to perform legitimate work. But the security controls applied to contractor-managed code and repositories are frequently less rigorous than those applied to internal staff.
When a contractor pushes sensitive credentials to a public GitHub repository — whether through carelessness, misunderstanding of repository visibility settings, or poor development hygiene — the consequences can be catastrophic. In this case, the credentials were sitting in a public repository, discoverable by anyone with internet access and a basic understanding of how to search GitHub for exposed secrets.
Lessons for Organizations: How to Prevent This
The CISA GitHub leak is unfortunately not unique. Similar incidents have affected companies and government agencies across the globe. However, there are concrete steps that organizations can take to dramatically reduce their exposure:
- Adopt a secrets management platform: Tools like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault ensure that credentials are never hardcoded into source files or configuration scripts.
- Enable pre-commit hooks and secret scanning: Developer-side tooling can catch accidental secret inclusions before code is ever pushed to a remote repository.
- Use GitGuardian or similar monitoring services: Continuous scanning of public repositories can catch exposures quickly, though as this case demonstrates, quick detection only helps if someone responds to the alerts.
- Enforce least-privilege access for contractors: Contractors should have access only to the specific systems and resources they need for their work, minimizing the blast radius of any accidental exposure.
- Conduct regular audits of contractor repositories: Organizations should maintain visibility into the repositories their contractors use and enforce policies around secret management and repository visibility.
- Rotate credentials immediately upon suspected exposure: Any time credentials may have been exposed — even briefly — they should be considered compromised and rotated without delay.
The Broader Takeaway
The CISA AWS GovCloud credential leak serves as a powerful and uncomfortable reminder that cybersecurity is only as strong as its weakest link. In this case, that link was a contractor's public GitHub repository. The fact that it took an external security researcher, an automated scanning service, and a cybersecurity journalist to force remediation action is itself a troubling signal about how seriously even the most security-conscious agencies monitor their contractor ecosystem.
For organizations of every size, the lesson is clear: secrets do not belong in source code, repositories must be monitored continuously for accidental exposures, and contractor security practices deserve the same scrutiny as internal ones. In the era of cloud-native infrastructure and distributed software development, credential hygiene is not optional — it is foundational.