CISA contractor posted admin keys to public GitHub
A contractor at the Cybersecurity and Infrastructure Security Agency (CISA), the office of the federal government whose entire job is protecting U.S. critical infrastructure from cyberattacks, kept admin credentials for three Amazon GovCloud accounts in a public GitHub repository for six months. GovCloud is Amazon's cloud platform for federal workloads. The same repository contained a CSV file of plaintext passwords to internal CISA systems, credentials to the agency's internal code repository, and other files that GitGuardian's Guillaume Valadon called "the worst leak that I've witnessed in my career." The repo was named aptly, "Private-CISA."
KrebsOnSecurity broke the story Monday after researchers at GitGuardian and Seralys (two security firms that scan public code repositories for exposed credentials) flagged the repo. The contractor's GitHub account had been committing to it regularly since November 13, 2025. After CISA was notified and the account was taken offline, the exposed AWS admin keys stayed valid for another 2 days.
How it was found
GitGuardian runs automated tools that constantly crawl public GitHub repositories looking for things that should not be there. Passwords, API tokens, signed certificates, that kind of thing. GitHub itself runs a feature called secrets detection that flags this content automatically, and it is turned on by default for new accounts. The CISA administrator manually turned it off.
Valadon at GitGuardian was the researcher who first flagged the repo. He reached Krebs after the repo's owner did not respond to GitGuardian's automated alerts. Philippe Caturegli, founder of the security firm Seralys, then tested the credentials independently and confirmed they authenticated to three AWS GovCloud accounts at high privilege levels.
What was found
The file names tell most of the story. One file was called "importantAWStokens". Another was a CSV titled "AWS-Workspace-Firefox-Passwords" with plaintext logins for dozens of internal CISA systems. The archive also included Kubernetes configurations, internal logs, and credentials to the agency's artifactory. The artifactory is the internal repository where CISA stores software packages it uses to build other software. A persistent attacker with that access could inject a backdoor into a package and watch it get deployed throughout the agency's systems on the next software release.
The passwords themselves followed a pattern. Many were the name of the platform followed by the current year.
GitGuardian flagged the repo via automated scanning and Seralys independently confirmed the credentials worked. The repo creation date and commit history are verifiable from Git metadata. CISA confirmed the incident to Krebs and said it is investigating. CISA noted that "there is no indication that any sensitive data was compromised." They did not add "so far."
Caturegli's read on motive is the everyday human behavior. The contractor appears to have been using GitHub as a sync mechanism between a work laptop and a home computer. Six months of weekly commits looks like convenience, not data theft. The contractor works for Nightwing, a government services firm in Dulles, Virginia, which declined to comment.
Lessons learned
The contractor made a mistake. But that mistake is one most of us have probably made in the past out of convenience. How many times have you created a temporary password, promising to change it later. Then later never happens.
Using cloud storage (or a code repository, or email-to-self) as a sync mechanism between work and home machines is one of the most common security gaps to encounter. Plaintext passwords in spreadsheets, often in a file literally named passwords.xlsx, is probably the second most common. Disabling security warnings because they get in the way is a close third. Predictable passwords (pet names, kid names, "Password123" with rotating numbers, platform name plus current year) is the fourth.
The federal cyber agency is supposed to be the highest-rigor place in the country for this stuff. The contractor was operating inside that environment and still managed to leak the keys to three GovCloud accounts. Whatever you tell yourself about your company being too small to be a target, or your team being good about this, the failure point is convenience.
What to do
Replace cross-device sync with a password manager. If anyone on your team moves credentials between work and home machines, route them through 1Password, Bitwarden, or another password manager. Password managers are built to sync across platforms. Pick one and have everyone on the team use it.
Hunt down your plaintext password files. Search OneDrive, Dropbox, Google Drive, and shared network drives for files named "passwords," "logins," "credentials," or spreadsheets with "password" in a column header. Move the contents to a password manager and delete the originals (then be sure to empty the recycle bin).
Turn the guardrails back on. If you have disabled email security warnings, MFA prompts, or browser warnings because they were annoying, turn them back on and follow the prompts. Setting up these guardrails can seem overwhelming, but once you have them set up, you barely notice them.
Audit who has admin access. Microsoft 365, Google Workspace, your bank, your payroll system. If you cannot answer in under a minute who holds admin in each, that is the audit you need. Related: the same access-control gap showed up in the IT twins case two weeks ago, where contractors kept admin credentials after their contract ended.
If you use GitHub for non-developer work, do not turn off secrets detection. It is on by default. Leave it on.
What the story doesn't claim
Nothing in this story implies AWS, GitHub, or the cloud are inherently insecure. One person made the same set of mistakes that people make every day. The consequences scaled with how sensitive the leaked material was, because it was federal credentials instead of a small-shop spreadsheet. The mistakes themselves are the same.
The chain of a real breach usually starts with whatever was easiest to compromise. Often that is a phishing email someone clicked. Sometimes it is a credential left somewhere convenient. The most vulnerable cyber attack vector is still humans.
Joel
If you've spotted your own version of this at work (a passwords spreadsheet, a sync habit, a guardrail nobody turned back on), I'd love to hear about it. You can reach me at joel@freshfromcache.com.
Source: KrebsOnSecurity: CISA Admin Leaked AWS GovCloud Keys on Github (May 18, 2026)
