Eddington.Tech
← Blog
IAM2026-05-19·4 min read

CISA Contractor Leaked AWS GovCloud Keys on GitHub for Weeks

A CISA contractor kept a public GitHub repository running for weeks, named it "Private-CISA," and filled it with AWS GovCloud admin credentials, plaintext passwords, and internal build system details. They also disabled GitHub's secret detection feature so the platform wouldn't flag the commits.

GitGuardian's Guillaume Valadon found it this weekend while scanning public repos. He tried contacting the owner. Nobody responded. The credentials stayed public until KrebsOnSecurity broke the story yesterday.

Here's what was in there:

  • A file called "importantAWStokens" with admin credentials to three AWS GovCloud servers
  • "AWS-Workspace-Firefox-Passwords.csv" with plaintext logins for dozens of internal CISA systems
  • Commit logs showing the owner explicitly disabled GitHub's default secret blocking
  • Files documenting how CISA builds, tests, and deploys software internally
  • Access to the Landing Zone DevSecOps environment - the agency's secure development pipeline

Philippe Caturegli from Seralys tested the AWS keys. They worked. The GovCloud accounts were still active.

The repository wasn't accidental or abandoned. Commit history shows ongoing maintenance. The owner knew enough about GitHub to disable secret detection deliberately. They were using the repo as a synchronization mechanism between systems, treating it like a personal cloud storage account that happened to be public and searchable.

Valadon called it "the worst leak I've witnessed in my career." He's seen a lot of credential exposures.

For IAM teams, this is a case study in what happens when institutional controls fail:

  • Individual GitHub accounts holding production credentials instead of centralized secrets management
  • No pre-commit hooks or automated scanning before code hits public repos
  • GovCloud access keys stored in plaintext CSV files
  • Passwords for production systems living in a browser's saved password export

CISA's job is telling organizations how to secure their infrastructure. The repository exposes how their own contractor was handling secrets while working on CISA systems.

The AWS accounts have been locked down now. The repository is gone. But those credentials were public for an unknown period - weeks at minimum. Anyone scanning GitHub for patterns matching GovCloud credential formats had access.

If you're running AWS GovCloud environments: rotate long-lived credentials. Check your CloudTrail logs for access from unfamiliar IPs. And if your developers are exporting browser passwords to CSV files, find out why and stop it.

Written byHunter Eddington
Source: Krebs on Security