← Back to SecLog

CISA contractor exposed AWS GovCloud and internal agency credentials in public GitHub repository

Updated: 2026.05.22 19D ago 5 sources
Breaches & Data Leaks Supply Chain
KrebsOnSecurity reports that a public GitHub repository maintained by a CISA contractor exposed sensitive internal files, plaintext passwords, tokens, and administrative credentials for three AWS GovCloud accounts and other CISA systems. Researchers said some credentials were valid and could authenticate to high-privilege GovCloud environments, and the repository also exposed internal software build and artifactory access details.
Why it matters: This is a major breach-risk event affecting a U.S. federal cybersecurity agency, with potential impact on internal systems, software supply-chain integrity, and government cloud environments. Affected parties need credential rotation, repository auditing, and investigation of possible unauthorized access.

Sources

Lawmakers Demand Answers as CISA Tries to Contain Data Leak
BrianKrebs 2026.05.22 99% relevant
This is a direct follow-up on the same CISA 'Private-CISA' GitHub exposure, adding that congressional lawmakers are demanding answers and that CISA was still trying to revoke exposed credentials days after notification, including a reportedly still-valid RSA key tied to a GitHub app with broad access to CISA repositories and CI/CD secrets.
In Other News: Industrial Router Exploitation, CISA KEV Nomination Form, Gas Station Hacking
SecurityWeek News 2026.05.22 96% relevant
This roundup directly recaps the same incident, adding that the public repository was named "Private-CISA," that the exposure lasted for months, and that the leaked material included administrative keys for multiple AWS GovCloud accounts and plaintext passwords that could have enabled lateral movement or software-package tampering.
CISA Security Leak
Bruce Schneier 2026.05.22 99% relevant
This is the same underlying event: a CISA contractor's public GitHub repository exposing privileged AWS GovCloud credentials and internal CISA deployment and system details; it mainly amplifies the severity and points readers to the reported leak.
America's top cyber-defense agency left a GitHub repo open with passwords, keys, tokens – and incredibly obvious filenames
2026.05.19 98% relevant
This is the same underlying GitHub exposure event and adds specifics from The Register and GitGuardian on the repository contents, file names, duration of exposure, disclosure timeline, and CISA's response.
CISA Admin Leaked AWS GovCloud Keys on Github
BrianKrebs 2026.05.18 100% relevant
This article appears to be the first tracked report establishing the underlying event: a public GitHub leak of valid CISA internal and GovCloud credentials.
← Back to all stories