GitHub leak exposed CISA, DHS GovCloud keys, internal credentials

A public GitHub repository tied to a contractor for the Cybersecurity and Infrastructure Security Agency (CISA) exposed credentials for highly privileged AWS GovCloud accounts and a wide range of internal CISA and Department of Homeland Security systems, according to security researchers and KrebsOnSecurity.

The exposure, if confirmed, represents a major operational security failure at the federal agency responsible for helping defend U.S. critical infrastructure from cyber threats.

The repository was reportedly connected to an employee of Nightwing, a Dulles, Virginia contractor with a long-running, privileged role in CISA cyber operations, software support, incident response, and federal network defense infrastructure.

Nightwing declined to comment and referred questions to CISA.

Nightwing used to be the cybersecurity division of Raytheon/RTX. A year ago, Nightwing, Raytheon, and RTX agreed to pay $8.4 million to resolve allegations by the Department of Justice that Raytheon violated the False Claims Act by failing to comply with cybersecurity requirements in contracts or subcontracts involving the Department of Defense.

The settlement is relevant because it involved the same business lineage and alleged failures to implement required cybersecurity controls on an internal development system used for federal work.

For CISA, the optics of the GitHub leak are especially damaging. The agency’s public role is to push federal agencies, state and local governments, election officials, private companies, and critical infrastructure operators toward stronger cyber hygiene.

A leak involving an agency contractor creates a credibility problem even if CISA ultimately determines that no sensitive data was accessed or exfiltrated.

In response to the disclosure, Sen. Maggie Hassan, a New Hampshire Democrat and senior member of the Senate Committee on Homeland Security & Governmental Affairs, Tuesday requested an urgent classified briefing from acting CISA Director Nick Andersen.

Meanwhile, senior Democrats on the House Committee on Homeland Security separately demanded a briefing from Andersen.

“This reported incident raises serious questions about how such a security lapse could occur at the very agency charged with helping to prevent cyber breaches,” Hassan wrote.

Continuing, Hassan said “reporting raises serious concerns regarding CISA’s internal policies and procedures at a time of significant cybersecurity threats against U.S. critical infrastructure …The alleged data leak has also occurred against the backdrop of major disruptions internally at CISA.”

The incident raises broader questions about contractor oversight, secret management, cloud access controls, and the security of government software development pipelines at a time when CISA itself is operating under intensified political scrutiny and internal disruption.

CISA has experienced a significant reduction in its workforce during President Donald Trump’s second administration. Approximately one-third of CISA’s staff -around 1,000 employees, including most of CISA’s top officials – have departed, bringing the agency’s headcount down to about 2,200.

The GitHub repository, reportedly named “Private-CISA,” was public until this past weekend, according to KrebsOnSecurity.

It was tied to Nightwing, which reportedly was working with CISA and contained cloud keys, authentication tokens, plaintext passwords, internal documentation, deployment logs, and files that described how the agency builds, tests, and deploys software.

Security experts who reviewed the material told journalist Brian Krebs that the archive included credentials for several highly privileged AWS GovCloud accounts and numerous internal CISA systems

CISA has acknowledged that it is investigating the reported exposure but has not publicly confirmed all the technical details described by researchers.

A CISA spokesperson said the agency is aware of the matter and that “currently, there is no indication that any sensitive data was compromised as a result of this incident.” The agency also said it is working to implement additional safeguards to prevent similar occurrences.

The incident was first identified by Guillaume Valadon, a researcher at GitGuardian, a company that monitors public code repositories for exposed secrets.

Valadon said the repository was so sensitive that he initially wondered whether it was fake. He later told KrebsOnSecurity that it was “the worst leak” he had witnessed in his career.

According to reporting, the repository owner did not respond to automated warnings or outreach, prompting Valadon to seek help escalating the issue.

The material reportedly included a file named “importantAWStokens,” which contained administrative credentials for three AWS GovCloud accounts.

AWS GovCloud is a specialized cloud environment used by government agencies and contractors for sensitive workloads that must meet U.S. government compliance requirements.

While the mere exposure of keys does not prove that an attacker used them, researchers said the keys appeared valid when checked. That distinction is important because cloud credentials can provide immediate access to infrastructure, data, logs, configurations, and service permissions depending on how broadly they are scoped.

Another file reportedly named “AWS-Workspace-Firefox-Passwords.csv” listed plaintext usernames and passwords for dozens of internal CISA systems. That kind of exposure compounds the risk because an attacker does not need to exploit a software vulnerability when valid credentials are available in a public repository.

Passwords and tokens can also be copied, reused, or tested across connected systems before defenders even know they have been exposed.

If the repository was public for months, as is believed, investigators will need to determine not only when the material became accessible, but whether it was cloned, indexed, downloaded, or accessed by unauthorized users.

Public GitHub repositories can be scraped quickly by automated systems, including benign scanners, criminal actors, and foreign intelligence services. Even if the repository was later removed, the data may have persisted elsewhere.

The reported contents also raise concerns beyond simple account access. Security experts said the repository included information about CISA’s internal software development and deployment processes.

One researcher, Philippe Caturegli of Seralys, said the exposed material included plaintext credentials for CISA’s internal artifactory, a repository used to store software packages and build artifacts.

If compromised, it can create a software supply chain risk because attackers may try to tamper with trusted packages, insert malicious code, or compromise later builds.

The episode highlights the danger of storing secrets in code repositories, especially public ones. GitHub and similar platforms are essential to modern software development, but they are also a common source of credential exposure when developers accidentally commit passwords, tokens, SSH keys, API keys, configuration files, or environment variables.

Once a secret is committed, deleting the visible file may not be enough because the secret can remain in commit history unless the repository is carefully rewritten and the credential is revoked.

The most immediate unanswered question is whether anyone used the exposed credentials maliciously. CISA’s statement that it has no current indication sensitive data was compromised is important, but it is not the same as saying the exposure created no risk.

The agency’s final assessment will depend on whether it can reconstruct access activity across GitHub, AWS GovCloud, internal systems, and software development environments.

Article Topics

access management  |  Amazon Web Services (AWS)  |  CISA  |  data protection  |  GitHub  |  U.S. Government