Report Says CISA Contractor Exposed GovCloud Credentials in Public GitHub Repository

A public GitHub repository maintained by a contractor working for the Cybersecurity and Infrastructure Security Agency (CISA) allegedly exposed credentials for several AWS GovCloud accounts and other...

A public GitHub repository maintained by a contractor working for the Cybersecurity and Infrastructure Security Agency (CISA) allegedly exposed credentials for several AWS GovCloud accounts and other internal agency systems, according to security researchers who reviewed the files.

Researchers from GitGuardian and Seralys said the repository contained cloud keys, tokens, plaintext passwords, logs, and documentation tied to CISA and Department of Homeland Security systems. The material reportedly included files describing internal software development and deployment processes, along with credentials for infrastructure used by the agency.

One file was said to contain administrative access keys for three AWS GovCloud servers. Another listed usernames and passwords for dozens of internal systems, including what appears to be CISA’s secure software development environment. According to the researchers, some of the exposed credentials were valid and could be used to access highly privileged resources.

GitGuardian researcher Guillaume Valadon said his team alerted the owner of the repository after automated scanning identified the exposed secrets, but that he did not receive a response. Philippe Caturegli of Seralys said he checked the credentials to determine whether they were still active and what they could access. He described the repository as resembling a working scratchpad rather than a polished project repository.

CISA said it is aware of the report and is investigating. In a statement, the agency said it had seen no indication that sensitive data was compromised as a result of the incident and said it is reviewing safeguards to help prevent similar situations in the future.

What researchers said was exposed

  • A public GitHub repository linked to a CISA contractor
  • AWS GovCloud administrative credentials
  • Plaintext passwords for internal CISA systems
  • Logs, tokens, and other operational files
  • References to internal development and deployment tooling

Nightwing, the contractor identified in the reporting, declined to comment and referred questions to CISA. The repository has since been taken offline, though the researchers said the AWS credentials remained usable for a period after discovery.

The incident highlights the ongoing risk of secret leakage in source-code repositories, particularly when credentials are stored in plain text or copied between work and personal environments.