CISA Contractor Exposed AWS GovCloud Keys and Internal Credentials on Public GitHub

A Nightwing contractor working for CISA maintained a public GitHub repository called ‘Private-CISA’ that exposed administrative credentials to three AWS GovCloud accounts, along with plaintext passwords, tokens, logs, and build-and-deploy documentation for the agency’s internal systems. Researchers at GitGuardian flagged the repo on May 15 after the owner failed to respond to automated alerts, and Seralys founder Philippe Caturegli confirmed the leaked keys still authenticated at high privilege levels — including access to CISA’s internal artifactory, a code package repository that would be an ideal staging point for a supply-chain backdoor. The contractor had explicitly disabled GitHub’s default secret-detection guardrails and appears to have used the repo as a scratchpad to sync files between work and personal machines since November 2025.

The credentials hygiene was abysmal beyond the act of publishing itself: passwords stored in CSV files, backups committed to git, and predictable passwords built from a platform name plus the current year. Even after CISA was notified and the GitHub account was taken down, the exposed AWS GovCloud keys remained valid for another 48 hours. CISA says it has no indication of compromise and is investigating; Nightwing declined to comment.

The incident lands at a vulnerable moment for the agency, which has shed roughly a third of its workforce under the current administration. Researchers called it one of the worst government leaks they’ve encountered, and the artifactory exposure in particular raises the prospect that an attacker who acted during the exposure window could have poisoned build artifacts that CISA itself relies on.