Sensitive access credentials for internal systems and cloud environments belonging to the U.S. cybersecurity watchdog Cybersecurity and Infrastructure Security Agency (CISA) have been publicly exposed on GitHub.
This was reported by Brian Krebs on his site KrebsOnSecurity. According to security researchers, the data included AWS GovCloud keys, plaintext passwords, and internal DevSecOps files.
The data was stored in a public GitHub repository named Private-CISA, which, according to KrebsOnSecurity, was managed by a CISA contractor. Researchers from security firms GitGuardian and Seralys discovered that the repository provided access to various internal environments and software repositories of the U.S. government.
GovCloud accounts accessible
According to researchers, the leaked files contained administrative keys for multiple AWS GovCloud accounts. AWS GovCloud is a secure cloud environment from Amazon Web Services specifically designed for sensitive U.S. government data.
Researchers from security firm Seralys also say they have confirmed that multiple leaked AWS GovCloud accounts were indeed accessible with high privileges. The repository is also said to have contained CSV files with plaintext usernames and passwords for internal CISA systems.
Furthermore, credentials for internal software repositories and build environments were reportedly leaked. Philippe Caturegli of Seralys warns that access to such repositories is attractive to attackers seeking to embed malware or backdoors into software builds. As a result, compromises could spread further within government environments.
GitHub security disabled
According to GitGuardian, the repository administrator had also disabled GitHub functionality that normally prevents secret keys or passwords from being published publicly. Ars Technica reports that the repository was likely publicly accessible as early as November 2025.
Researchers also found passwords that were relatively easy to guess, such as combinations of platform names with the current year. KrebsOnSecurity reports that the repository was likely used as a synchronization point between the contractor’s various devices.
CISA confirmed to KrebsOnSecurity that the incident is under investigation. According to the agency, there are currently no indications that sensitive data was actually misused. However, the agency says it is taking additional measures to prevent a recurrence.
Notably, according to researchers, some of the leaked AWS keys remained valid for approximately 48 hours after CISA was notified of the breach and the GitHub repository was taken offline.
The repository is said to have been managed by an employee of Nightwing, an American contractor that works for government agencies. Nightwing referred KrebsOnSecurity’s questions to CISA.