CISA Admin Leaked AWS GovCloud Keys On Github

An anonymous reader quotes a report from KrebsOnSecurity: Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history. On May 15, KrebsOnSecurity heard from Guillaume Valadon, a researcher with the security firm GitGuardian. Valadon's company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures. Valadon said he reached out because the owner in this case wasn't responding and the information exposed was highly sensitive.

The GitHub repository that Valadon flagged was named "Private-CISA," and it harbored a vast number of internal CISA/DHS credentials and files, including cloud keys, tokens, plaintext passwords, logs and other sensitive CISA assets. Valadon said the exposed CISA credentials represent a textbook example of poor security hygiene, noting that the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories. "Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature," Valadon wrote in an email. "I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I've witnessed in my career. It is obviously an individual's mistake, but I believe that it might reveal internal practices." "Currently, there is no indication that any sensitive data was compromised as a result of this incident," a CISA spokesperson wrote. "While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences."

The GitHub account in question was taken offline shortly after CISA was notified about the exposure. However, according to Caturegli, the exposed AWS keys remained valid for another 48 hours.

"What I suspect happened is [the CISA contractor] was using this GitHub to synchronize files between a work laptop and a home computer, because he has regularly committed to this repo since November 2025," Caturegli said. "This would be an embarrassing leak for any company, but it's even more so in this case because it's CISA."

Seriously

[Anonymous Coward]

How could Joe Biden allow this to happen?

Re:Seriously

[fahrbot-bot]

How could Joe Biden allow this to happen?

Thankfully, Trump hires, "only the best people". /s

Re:

[Defraggle]

Who is the president now? Obama? Clinton? Biden? Carter?

I can't remember.

Re:Seriously

[procrastinatos]

Not sure what point you're trying to make here, although the Barack "Hussein" Obama dog whistle in your previous comment does provide a hint.

so you mean, who hired comapny in question is not at fault?

The original CISA DOMino contract was awarded to Raytheon back in 2017, under the Trump administration.
(Granted, this was following a 2 year legal battle, and Raytheon had originally been selected by the Obama administration in 2015.)
Raytheon later spun out its cybersecurity division into Nightwing, which took the DOMino contract with it.

And also Biden did not sack company who fucked up is not at fault?

In 2024, the Biden administration wanted to replace the DOMino contract with the ACTS contract, which was awarded to Leidos.
One day (!) after Trump took office in 2025, Nightwing sued, arguing that the contract was unfairly awarded to Leidos.
In May of 2025, Trump's DHS and CISA (facing massive budget cuts) pulled the plug on the ACTS contract altogether, leaving Nightwing and its secret leaking contractors in place.

That's as far as my research took me. Interested in hearing your take.

Re:Seriously Understaffed

[Anonymous Coward]

Trump then turned the Doge goons loose on CISA and fired/drove off many of the career security workers. Since Trump took office in 2025 the CISA workforce has been pared down from 3300 employees to just 2389 as of March 2026. Sounds like the remaining workers are struggling to keep their heads above water and cutting corners to do it.

https://www.congress.gov/119/m... [congress.gov]
https://www.meritalk.com/artic... [meritalk.com]

Re:

[Coius]

At this point, Hitler

Feeding the AI is rarely Funny

[shanen]

Even though I don't even know what sort of humor I was hoping for on this story, I'm sure AC's brain fart was not it.

Just read another book with something about why anonymity encourages people to become worse people over time... Must have been in the Facebook-related stuff.

Me? I didn't even want to use GitHub but Claude.ai made me do it.

Re:Seriously

[93 Escort Wagon]

I'm honestly surprised that the CISA spokeswoman didn't include a non-sequitir like "we are re-building a world class workforce after the DEI-driven destruction caused by Biden's administration" nor a statement praising Donald Trump. Typically at least one of the two is included in any deflection offered by the current administraiton.

Re:

[Anonymous Coward]

Letting CISA police misinformation and disinformation by declaring elections to be "critical infrastructure" is how you got Trump again and deserve him, you dumb projecting fascist.

Interesting

[ArchieBunker]

Almost like firing staff indiscriminately and hiring loyalists leads to fuck ups.

Re:Interesting

[DarkOx]

maybe partly, but the reality I know as someone who reads a lot of penetration testing reports, is big supposedly mature organizations end up putting useful credentials (as in not just some QA mock enviornment nobody cares about in CI/CD stuff) in their git commits, all the freaking time.

Cloud security is a s*** show a lot of places, even places with mostly capable people, it only takes one idiot or one careless person to really mess things up badly. That is the problem with PaaS/SaaS model generally.

Re: Interesting

[fortfive]

What you say is true, but is compounded by the downsized high productivity consider humans as fungible capital/reaources development mentality of the last couple decades.

Re:

[Charlotte]

In my experience with security-heavy organizations, they are so anal in some respects about security that they end making things way worse.

In one case security was so "strict" that it took months to get a login account, so people just installed their own linux boxes to work on, or shared their passwords. Password strings had to comprise of 27 (!) characters. People just ended up writing them on pieces of paper kept under their keyboards.

At one car manufacturer I worked at, security absolutely demanded that

Re:

[thegarbz]

Yeah but are those major organisations responsible for ... *goes and looks it up*:
Mission: We lead the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.
Vision: A secure and resilient critical infrastructure for the American people.

I mean sure when Microsoft leaves critical security keys on a Github we expect it and move on. But when a division of the government specilising in security against cypersecurity risk does the same it is worthy of a bit more questioni

Re:

[Defraggle]

They will never learn that Ideological purity and competence are not the same thing.

After the OMB hack, this one is minor

[MIPSPro]

They already lost basically everything. I mean shit man, they got all the spies on the payroll and everyone's mother's address when the OMB hack happened. Didn't they also lose the B2 Bomber plans to the Chinese. Shit, at this point we ought to just pay the Chinese to host our fucking military servers. They'd probably be more secure.

Re:

[bill_mcgonigle]

> pay the Chinese to host our fucking military servers

no, but that's literally what they were doing.

DC doesn't run a serious country.

https://slashdot.org/story/25/... [slashdot.org]

Damn. Old news, I guess.

[MIPSPro]

I'm always a day late and a dollar short. Figures any hyperbole about the US government being incompetent would be surpassed by reality!

Re:

[Slayer]

I agree with your sentiment 100%, but the hacked entity was OPM [wikipedia.org], not OMB.

Re:After the s/OMB/OPM/g hack, this one is minor

[MIPSPro]

Yes, you are right, thank you.

Re: After the OMB hack, this one is minor

[homerbrew]

Yup, who knew firing all the cyber security specialists would lead to something like thatâ¦

Re:

[Jayhawk0123]

...essentially did that when Microsoft had Chinese contract engineers IN China working on US government infrastructure a little while back. But don't worry, American supervisors were monitoring them.

- The B2 bomber plans was when a lead designer/engineer on the project defected with a drive full of data
- The F-22 and F-35 programs though were severely compromised and TB's of data exfiltrated.... ...don't worry though... the US and China have a mutual understanding to not do cyber espionage on each other ;)

Re:

[MIPSPro]

Thanks for the accurate review of the facts. They are uber dismaying. I feel like security just gets a pass "because computers" but somehow there is a better way. Even way less Internet/network access to government contractors? Use different engineering techniques with models in wind tunnels? I mean... the track record is freaking HORRIBLE. Almost any alternative should be on the table. Maybe redirect the money to Palmer Lucky and Anduril, as needed and defund the compromised (and now too expensive) legacy

Re:

[SpzToid]

that OPM hack was a complete shit show... setting back human intel gathering operations by decades and compromising countless people... those OPM records had photos, biometric data, sensitive lie detector and security clearance info... including data that can be used to blackmail the people

The hacked entity in question was an out-of-date ColdFusion website. As late as 2015, ColdFusion was not a good idea for this subject matter. [arstechnica.com]

Shameful

[Himmy32]

Just wildly shameful for the organization that's supposed to be writing the book on best practices to allow something so bad. But as the story goes, can't shame the shameless.

Re:

[Jayhawk0123]

In fairness to CISA - this was a contractor... and i doubt CISA encourages anyone sync CISA stuff to their personal GitHub.

I've worked at many places where leadership did everything right, had the correct policies and DLP, etc... yet still... some jackass will have creds in plaintext somewhere it shouldn't be... chats, photos, screen shots, coppy/paste buffer, notepad, stickypad, email, browsers, etc... Not gonna blame the entire org for some dipshit that thinks they're above the rules and thinks their shit

Welcome to modern cybersecurity.

[Murdoch5]

The alarming issue is how common it is for secrets to be leaked. This isn't a one-off, it's constant, and with the advent of tools and platforms to prevent it, it's shocking how common it is. Why hard-code any secret? Proton Pass CLI is a great tool for storing secrets, and recalling them at run time only when needed. If you don't want to use Proton Pass, fair enough, many tools exist to provide the abstracted security.

Another disturbing point, why was GitHub being used? Standing up a Git server is ea

Re: Welcome to modern cybersecurity.

[firecode]

Own github repo needs backups and resilience against failing HDs etc. GitHub have these and it is less likely your repository is destroyed by crashes of hardware or software errors. GitHub also donâ€(TM)t cost very much.

Re:

[unrtst]

Own github repo needs backups and resilience against failing HDs etc. GitHub have these and it is less likely your repository is destroyed by crashes of hardware or software errors. GitHub also donâ€(TM)t cost very much.

Excellent point - IE: GitHub ALSO has a backup of all these credentials in their backups and mirrored across who knows how many places, all of which could still be leaked.

Sorry, but there's no way to sell this as a good decision.

Re:

[drinkypoo]

Another disturbing point, why was GitHub being used? Standing up a Git server is easy

Yeah that. Why not a GitGov or GovHub? It makes zero sense.

Re:

[Murdoch5]

Certainly suitable, just why GitHub? Maybe GitHub has a government offering, I don't know, but it sounds weird to me to use GitHub for a government security contractor.

Re:

[jgdnavy]

It reads like this was an individual contractor (as opposed to a contract company semi-officially using the site) who wanted to do something like respond to incidents without having to come in. In that case, it's a lot easier to just use GitHub than convince the proxies that your random Git server is safe to visit and upload to.

Re:

[Charlotte]

You'd need permission for that, which you'd never get anyway. Even if you had that you'd need budget, which you'd never get anyway. The easiest way around that is to never ask for anything and do whatever you feel like.

Remember bureaucrats have the permission to say no, never yes.

Re: Welcome to modern cybersecurity.

[supabeast!]

Github was probably being used because someone in government considers it COTS software from a reliable American corporation. Those people who used to insist on using IIS instead of Apache are still around!

Re:

[Murdoch5]

That's hilarious, I still have the IIS vs Apache (or Nginx, lightHTTP, etc...) discussion with people. To be fair, I don't know if there is a use case where IIS is the best solution, there could be, but in at least 15-years, I haven't run into it, or heard about it.

Re:

[flink]

IIS has good integration with active directory, and a lot of government networks run on AD. When I did government work our Java/Tomcat app had to deploy behind IIS so that IIS could do all the CAC/PIV crypto/AD windows stuff and hand us a user identity. Then I had the pleasure of doing NTLM/kerberos binding against an AD forest from java for authz - good times.

Re:

[Murdoch5]

Fair enough :)

Deliberate

[stwf]

Please, there's no way this was by mistake. It's a hack from the inside. Just like all of the others.

Re: Deliberate

[liqu1d]

Nah just means someones a hack on the inside...

oh great fucking timing

[drinkypoo]

I was just going to remind IS of their password policy recommendations that everyone doing business with the feds are supposed to follow.

So much for that fucking idea.

And this is why...

[YuppieScum]

...we laugh when a Government says "We must have backdoor access to everyone's cryptography, it will be perfectly safe with us."

Re:

[thegarbz]

It's called leading by example. Duh! Nothing says leadership in the field more than not just asking for backdoors, but demonstrating that you yourself provide your own.

Re:

[ArchieBunker]

Did you post this using your new Trump phone?

Re:

[Defraggle]

Uh huh, so how many times did this happen during Biden or Obama?

"The now fired, previous head of ..."

[OneOfMany07]

Surely by now.

So anyone that forked the repo..

[strUser_Name]

..can forever eavesdrop by guessing short hashes of future commits. I hope for them they don't just set the repo to private, rotate keys, and continue saving sensitive information to the same repository.

Trump wants an attack

[fluffernutter]

It benefits Donald Trump if the US gets attacked. The more Americans who die the more it benefits him. That alone would make me very afraid if I was an American, because he has been setting up all his life to make it look like a mistake. Trump only cares about nukes in Iran because those could kill him. But any smaller attack that cannot get through his ivory walls will benefit him. And Americans are either forgiving him for his incompetency or powerless to do anything about it.