A contractor working for the Cybersecurity and Infrastructure Security Agency left highly privileged credentials to AWS GovCloud accounts sitting in plain sight on a public GitHub repository. The exposure went on for months. Security researchers who found it called the incident one of the worst government leaks they had seen.
The repository, named Private-CISA, contained far more than stray keys. It held plaintext passwords for dozens of internal CISA systems. Files detailed exactly how the agency builds, tests and deploys its software. Logs, tokens and other sensitive assets sat alongside them. And the administrative credentials to three AWS GovCloud servers? They stayed valid for two full days after researchers alerted authorities.
Guillaume Valadon, a researcher at GitGuardian, spotted the material on May 15. He reached out to the repository owner. No response came. So he contacted KrebsOnSecurity. The account and its contents vanished from public view soon after. KrebsOnSecurity reported the full details the following Monday.
The contractor worked for Nightwing, a government contractor based in Dulles, Virginia. He used an email address tied to CISA as well as a personal one. The GitHub account itself dated back to September 2018. The problematic repository launched on November 13, 2025. Commits arrived regularly from that point forward. This was no one-off upload. It served as a working scratchpad. A way to move files between a work laptop and a home computer.
That habit produced staggering oversights. The repository disabled GitHub’s built-in feature meant to block secrets from public repos. Passwords appeared in a CSV file with names as obvious as each platform followed by the current year. Backups lived directly in the Git history. Valadon could hardly believe what he saw. “Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature… I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career.”
Philippe Caturegli, founder of Seralys, examined the material at the request of KrebsOnSecurity. He confirmed the AWS keys worked. They granted administrative access to three separate GovCloud accounts. Those environments exist specifically to hold sensitive government data under strict controls. “That would be a prime place to move laterally,” Caturegli said. He pictured an attacker slipping a backdoor into software packages. Every new build would spread the compromise across CISA systems.
Caturegli also pieced together the contractor’s likely routine. Regular commits stretching back to late 2025 suggested routine synchronization between devices. “This would be an embarrassing leak for any company, but it’s even more so in this case because it’s CISA.”
The agency itself operates under strain. It has lost nearly a third of its workforce since the start of the second Trump administration. Early retirements, buyouts and resignations have left it running with reduced staff and budget. A CISA spokesperson acknowledged the exposure. “Currently, there is no indication that any sensitive data was compromised as a result of this incident,” the statement read. “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.” The agency directed further questions about the contractor to Nightwing. The company declined to comment and pointed back to CISA.
News of the breach spread quickly on X. Multiple accounts shared the KrebsOnSecurity story within hours of publication. Some posts highlighted the continued validity of the keys. Others noted the plaintext passwords and the artifactory credentials that could have let an intruder poison CISA’s internal code repository.
This event arrives against a backdrop of repeated cloud credential exposures. Researchers have documented thousands of similar mistakes across private industry and government alike. Yet the CISA case stands out. The agency exists to guide others on proper security practices. Its own contractor handed adversaries a roadmap to sensitive federal systems.
The files went beyond credentials. They mapped internal processes in detail. An attacker could study deployment pipelines. Identify weak points in the build chain. Craft attacks that blend into normal CISA operations. Lateral movement becomes simpler when you understand the target’s own logic.
AWS GovCloud adds another dimension. The platform enforces stricter compliance than standard AWS regions. Federal customers rely on its isolation. Administrative keys there open doors that should stay bolted. The fact those keys survived 48 hours after notification raises fresh questions about detection and response speed.
GitGuardian’s discovery method relied on routine scanning of public repositories for secrets. Many organizations now run similar tools. The fact that a CISA-linked repo escaped notice for months shows gaps remain. Contractors, personal devices and synchronization habits create persistent risks.
Security teams have long warned about these patterns. Plaintext storage. Disabled guardrails. Reuse of repositories for convenience. Each element appears in countless breach reports. Their convergence inside a federal cybersecurity agency carries extra sting.
CISA says it is adding safeguards. Rotation of the exposed credentials happened. Investigations continue. Yet the episode underscores a truth many inside government already know. Human error still defeats the most sophisticated technical controls. Especially when budgets shrink and experienced staff depart.
Industry observers will watch closely for follow-up disclosures. Any evidence of actual exploitation could shift this story from embarrassing lapse to active compromise. For now, the public record stops at the exposed repository and the swift takedown once outsiders rang the alarm.
Even without confirmed breach of sensitive information, the damage sits in lost trust. Federal partners and private sector organizations look to CISA for leadership. A contractor’s personal GitHub habits just delivered a visible reminder that vigilance must extend to every endpoint. Every sync. Every commit.
from WebProNews https://ift.tt/k0aGXiN
No comments:
Post a Comment