---

keywords: ["CISA GitHub leak", "AWS GovCloud credentials", "secrets management", "hardcoded credentials", "GitGuardian", "Nightwing contractor", "plaintext passwords", "supply chain security", "credential exposure"] date: 2026-05-22 category: "Cybersecurity"

The Watchdog Left the Keys Out: CISA Contractor Exposes GovCloud Credentials on GitHub

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) spends its days telling everyone else how to lock down their systems. In May 2026, it became a case study in the exact mistake it warns against: a contractor left a trove of highly privileged government credentials sitting in a public GitHub repository — for months.

Security researchers called it one of the most serious government data exposures in recent memory. One described it bluntly as the worst leak he had seen in his career.

What Was Exposed

The repository, ironically named "Private-CISA," was tied to an employee of Nightwing, a Virginia-based government contractor (formerly the cybersecurity arm of Raytheon/RTX) with a long-running, privileged role in CISA's cyber operations. The repo was created in late 2025 and remained publicly accessible until it was pulled in mid-May 2026.

Inside, according to researchers and KrebsOnSecurity, were:

• AWS GovCloud administrative credentials for at least three accounts — GovCloud being the dedicated AWS environment for sensitive U.S. government workloads.
• A file literally named importantAWStokens granting high-level cloud access.
• AWS-Workspace-Firefox-Passwords.csv — plaintext usernames and passwords for dozens of internal CISA systems.
• SSH keys, API tokens, deployment logs, Git backups, and documentation of how CISA builds, tests, and ships software internally.

It was discovered by Guillaume Valadon of GitGuardian, whose firm continuously scans public repos for leaked secrets. He said he initially assumed the data was fake because it was so sensitive — and that he only escalated to CISA directly after the repository owner ignored his alerts. A second researcher independently confirmed several credentials were valid.

Why It's So Bad

A few details turn an embarrassing slip into a serious failure:

• The secrets were live. Researchers found the exposed AWS keys appeared valid when checked, and some reportedly remained active for nearly 48 hours after the repo was taken down — a wide-open window for anyone who had already copied them.
• Detection was deliberately switched off. Commit logs reportedly showed the account had disabled GitHub's built-in secret-scanning / push protection — the very feature designed to stop credentials from being published. This wasn't a tool failing; it was a guardrail removed by hand.
• Plaintext, in version control. Passwords in a CSV and credentials committed to Git are textbook bad practice — and once something is in Git history, deleting the file doesn't delete the secret.
• The blast radius is enormous. Cloud admin keys can unlock infrastructure, data, logs, and permissions all at once. Files describing CISA's CI/CD pipeline hand an attacker a map of the agency's software supply chain.

CISA has acknowledged the incident and says it is investigating, with no current evidence of active exploitation and additional safeguards being put in place. Nightwing declined to comment.

The Lessons (For Everyone, Not Just CISA)

This breach didn't require a sophisticated adversary — just a search of public code. That's what makes it instructive:

• Never commit secrets to source control. Use a secrets manager or vault and inject credentials at runtime. If a secret ever touches a repo, treat it as compromised and rotate it.
• Leave detection guardrails on. Push protection and secret scanning exist precisely because humans make this mistake. Disabling them should be impossible, not optional.
• Rotate fast, assume copied. Pulling a public repo doesn't undo exposure. The moment a secret leaks, it must be revoked immediately — not 48 hours later.
• Your contractors are your attack surface. A third party with privileged access can leak your secrets as easily as an employee. Extend monitoring, least privilege, and audits to vendors.
• Run the scanners on yourself. Tools like the one that caught this are freely available. Attackers are already scanning public GitHub; defenders should be scanning first.

The Takeaway

The most damaging breaches are often the most boring ones — not zero-days, but a forgotten repo with the keys inside. That it happened to the nation's lead cyber-defense agency is a pointed reminder: good security hygiene isn't about expertise, it's about discipline. Anyone can leave the keys out.

---

Sources

• KrebsOnSecurity — "CISA Admin Leaked AWS GovCloud Keys on GitHub"
• eSecurity Planet — "CISA GitHub Leak Exposes AWS GovCloud Secrets"
• TechRepublic — "CISA Contractor Exposed Sensitive Credentials in Public GitHub Repository"
• TechRadar Pro — "CISA contractor apparently leaked 'highly sensitive' government AWS keys on GitHub"
• Biometric Update — "GitHub leak exposed CISA, DHS GovCloud keys, internal credentials"

Factual summary compiled from public reporting as of 22 May 2026. The investigation is ongoing and details may change.