CISA Contractor Leaves Sensitive AWS Credentials and Passwords in Public GitHub Repository for Six Months

In what security experts are calling a vital stress test of federal cybersecurity infrastructure, a contractor for the U.S. Cybersecurity and Infrastructure Security Agency (CISA) inadvertently exposed highly sensitive internal credentials on a public GitHub repository for six months. The exposure included administrative keys to AWS GovCloud environments, plaintext passwords, and internal deployment data. While the breach of protocol was severe, the incident is being hailed as a crucial "near miss." Independent security researchers discovered the exposed data and alerted the agency before any known malicious exploitation could occur, transforming a potential catastrophe into a profound learning opportunity for government vendor management.[1][2][3]

The discovery highlights the indispensable role of the broader cybersecurity community in safeguarding national assets. Researchers from security firms that continuously scan public code repositories for exposed secrets flagged the anomaly in mid-May 2026. The repository, conspicuously named "Private-CISA," had been publicly accessible since November 2025. By proactively identifying the leak and notifying CISA, these independent analysts demonstrated how automated external monitoring can serve as a critical safety net when internal governance protocols fail.[4][5][6]

An analysis of the exposed repository revealed a startling cache of sensitive information. The data included credentials capable of authenticating to three highly privileged AWS GovCloud accounts, alongside SSH keys and authentication tokens. Furthermore, the repository contained plaintext credentials granting access to CISA’s internal "artifactory"—the central hub where the agency stores the code packages used to build and deploy its software. Security analysts noted that in the hands of a sophisticated threat actor, this level of access could have facilitated a devastating supply chain attack, allowing intruders to move laterally across federal networks.[1][2][3]

The mechanics of the exposure offer a masterclass in how human convenience often bypasses technical safeguards. Investigators found that the contractor had explicitly executed commands to disable GitHub’s built-in secret-detection features. These automated protections are specifically designed to block users from publishing passwords or cryptographic keys in public repositories. By manually overriding these controls, the contractor inadvertently stripped away the primary layer of defense that would have immediately flagged the dangerous commit.[4][5][6]

Understanding the motive behind such a severe lapse is critical for preventing future occurrences. Security experts analyzing the commit history suspect the contractor was using the public GitHub repository as an unauthorized, albeit highly convenient, method to synchronize files between a work laptop and a personal home computer. The repository featured regular updates over the six-month period, and commit logs showed activity linked to both a CISA-associated email address and a personal account. This behavior underscores the persistent challenge of securing remote work environments where employees may seek workarounds for cumbersome security protocols.[1][2][3]

The contents of the repository also shed light on secondary security hygiene issues within the contractor's workflow. Among the exposed files was a document bluntly named "AWS-Workspace-Firefox-Passwords.csv," which contained numerous operational secrets stored in plain text. Analysts reviewing the data noted that several of the internal passwords relied on notoriously weak naming conventions, such as combining a platform's name with the current year. This revelation has sparked internal reviews of password complexity requirements and the enforcement of password managers across CISA's vendor ecosystem.[4][5][6]

The remediation process following the discovery provided its own set of actionable lessons. Once notified by the independent researchers, CISA and the contractor moved to take the offending GitHub repository offline. However, security analysts monitoring the situation observed that some of the exposed AWS GovCloud keys inexplicably remained valid for nearly 48 hours after the repository was deleted. This delay in credential revocation highlights a critical gap in automated incident response capabilities, prompting calls for tighter integration between threat detection and immediate access termination.[1][2][3]

Despite the severity of the exposure and the delay in revocation, the outcome remains overwhelmingly positive. CISA has stated that comprehensive forensic investigations have yielded no indication that the exposed credentials were ever accessed or utilized by malicious actors. The fact that the data sat in the open for six months without being weaponized is a stroke of immense luck, but the successful intervention by white-hat researchers validates the effectiveness of collaborative security ecosystems. The incident was caught in time, preventing what could have been one of the most damaging government data leaks in recent history.[4][5][6]

There is an undeniable irony in the fact that CISA—the very agency tasked with advising American businesses and critical infrastructure on how to secure their systems—suffered a fundamental credential exposure. However, cybersecurity leaders are using this irony constructively. By transparently acknowledging the lapse, CISA is demonstrating that human error can compromise even the most security-conscious organizations. This transparency reinforces the agency's long-standing guidance that organizations must assume breaches will happen and build resilient architectures that limit the blast radius of any single failure.[1][2][3]

The incident is already catalyzing systemic reforms in how federal agencies manage vendor risk. Historically, vendor risk management has focused heavily on the initial provisioning of access and annual compliance checklists. This exposure proves that governance must extend to continuous, real-time monitoring of contractor behavior. Future federal contracts are expected to include explicit prohibitions against circumventing security detection mechanisms, coupled with automated alerts that notify agency administrators the moment a contractor attempts to disable a security tool.[4][5][6]

Furthermore, the event is accelerating the adoption of strict Zero Trust architectures across government supply chains. In a true Zero Trust environment, the possession of a valid credential is no longer sufficient to grant access; systems must also verify the user's context, such as their device health, location, and behavioral patterns. Had strict conditional access policies been fully enforced on the exposed AWS GovCloud accounts, the leaked keys would have been useless to an attacker attempting to log in from an unauthorized, external IP address.[1][2]

Ultimately, the exposure of the "Private-CISA" repository serves as a highly effective, albeit unintentional, fire drill. It has exposed critical blind spots in contractor oversight, credential hygiene, and automated revocation processes without incurring the devastating costs of an actual cyberattack. As federal agencies and their private-sector partners digest the lessons learned from this near miss, the resulting improvements in supply chain visibility and access governance will leave the nation's digital infrastructure significantly more secure than it was before the leak occurred.[3][4]