A publicly accessible GitHub repository maintained by a contractor supporting the Cybersecurity and Infrastructure Security Agency (CISA) exposed AWS GovCloud credentials, plaintext passwords, authentication tokens, deployment artifacts, and internal operational files tied to federal systems.
The exposure was discovered by GitGuardian researcher Guillaume Valadon and first reported by KrebsOnSecurity.
Researchers said the repository contained privileged credentials tied to CISA and Department of Homeland Security systems, including cloud infrastructure, internal development resources, and software deployment environments.
Why It Matters: The incident drew scrutiny after some exposed GovCloud keys reportedly remained active after disclosure. Repository contents also showed internal credentials and operational files stored in a publicly accessible environment.
- Repository Included Access to Internal Systems: The GitHub repository, reportedly named “Private-CISA,” contained AWS GovCloud administrative keys, plaintext passwords, authentication tokens, deployment logs, infrastructure references, and DevSecOps-related files connected to CISA and DHS systems. The materials reportedly provided visibility into internal environments, cloud resources, and deployment workflows tied to operational systems.
- Researchers Confirmed Active GovCloud Credentials: Security consultant Philippe Caturegli said several exposed AWS GovCloud credentials were still active when reviewed and could authenticate into privileged cloud environments. Some credentials reportedly remained valid for nearly 48 hours after CISA was notified.
- Development and Build Systems Were Included: The repository also reportedly contained credentials tied to CISA’s internal artifactory and software development infrastructure, including systems connected to package management and deployment workflows. Caturegli said those environments could create opportunities for persistence or unauthorized code modification if accessed by malicious actors.
- Repository Contents Revealed Weak Credential Practices: Valadon said the repository contained plaintext passwords stored in CSV files, Git backups committed directly into the repository, and signs that GitHub secret-scanning protections had been disabled. Researchers also identified password patterns based on platform names combined with the current year.
- Investigation Continues After Repository Removal: The GitHub repository was reportedly taken offline shortly after researchers notified CISA. The agency said it is investigating the incident and currently has no indication that sensitive data was compromised as a result of the exposure.
Go Deeper -> CISA Admin Leaked AWS GovCloud Keys on Github – KrebsOnSecurity
US cyber agency CISA exposed reams of passwords and cloud keys to the open web – TechCrunch
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.
