CISA Contractor Exposed AWS GovCloud Credentials and Plaintext Passwords on GitHub for Months

A federal contractor at Nightwing exposed administrative AWS GovCloud credentials and internal passwords in plaintext on GitHub for over six months, highlighti…

A federal contractor employed by Nightwing maintained a public GitHub repository titled “Private-CISA” starting on November 13, 2025. The repository contained administrative credentials for three Amazon AWS GovCloud accounts and dozens of internal passwords stored in plaintext. The leak was discovered by Guillaume Valadon, an analyst at GitGuardian, and reported to KrebsOnSecurity on May 15, 2026, after the repository owner systematically ignored automated alerts and intentionally disabled GitHub's native secret detection features.

This incident was not the result of an external intrusion or a sophisticated cyberattack, but rather a persistent misconfiguration compounded by the intentional bypass of standard security protocols. For months, sensitive data belonging to the agency responsible for protecting U.S. critical infrastructure remained accessible to anyone. The severity of the case lies in the combination of human error and a failure in subcontractor auditing processes, revealing a structural vulnerability in identity and access management (IAM) within highly secure government cloud environments.

Key Takeaways

Prolonged Exposure: A public repository hosted CISA secrets from November 13, 2025, until mid-May 2026.
Security Bypass: The contractor manually disabled GitHub security features to upload credentials and plaintext passwords.
Revocation Latency: Administrative AWS keys remained valid for approximately 48 hours after the repository was taken offline.
Supply Chain Risk: The exposure included access to an internal artifactory, potentially allowing for malicious code injection into build processes.

FACTS: Key Elements of the Exposure

Repository: “Private-CISA,” public from November 13, 2025, to the weekend of May 18, 2026.
Critical Contents: File 'importantAWStokens' (AWS GovCloud keys) and 'AWS-Workspace-Firefox-Passwords.csv' (plaintext passwords).
Impacted Systems: Three AWS GovCloud accounts and the internal LZ-DSO environment.
Technical Bypass: Manual deactivation of GitHub's "secrets detection" system by the contractor.
Risk Window: AWS credentials remained active for 48 hours following the repository's deletion.

The "Private-CISA" Repository: Timeline and Exposed Data

The “Private-CISA” repository was created on November 13, 2025, and remained publicly accessible until the weekend prior to May 18, 2026. While the exact removal date has not been officially confirmed, the total duration of the exposure spans an entire half-year. During this period, any interested actor could have cloned the repository, gaining structural insights into the Cybersecurity and Infrastructure Security Agency (CISA) infrastructure without triggering alarms for months.

Within the repository, a file named 'importantAWStokens' contained administrative credentials for three Amazon AWS GovCloud servers. This isolated cloud environment is specifically designed to host government workloads that must comply with rigorous standards such as FedRAMP and ITAR. The exposure of high-privilege keys in such an environment represents a tier-one risk, as it potentially allows for unauthorized access to sensitive data or the modification of critical infrastructure configurations without further authorization.

A second critical file, 'AWS-Workspace-Firefox-Passwords.csv,' listed usernames and passwords for dozens of internal CISA systems in plain text. This included the 'LZ-DSO' operating environment. The decision to store plaintext passwords in a spreadsheet and sync them via Git to a public repository suggests a manual workflow entirely devoid of centralized identity management (IAM) or encrypted vault solutions.

Beyond these files, the repository contained credentials for the agency’s internal artifactory. This system is vital for managing software artifacts and distributing packages used in internal development. Their exposure could allow an attacker to inject malicious code directly into build processes. Despite the gravity of the leak, a CISA spokesperson stated there is currently no evidence of actual data compromise or unauthorized access exploited by hostile actors.

Active Validation and the 48-Hour Revocation Gap

Guillaume Valadon’s initial discovery triggered an independent verification process involving Philippe Caturegli, a researcher at the cybersecurity firm Seralys. Caturegli performed technical validation on the AWS keys found in the 'importantAWStokens' file. The tests confirmed that the credentials were not merely remnants of old configurations but active, operational keys that allowed immediate authentication to three AWS GovCloud accounts with elevated administrative privileges, easily bypassing perimeter access controls.

The most critical aspect revealed by the validation was the persistence of the keys after the leak was discovered. According to the analysis, the AWS credentials remained active and fully functional for approximately 48 hours after the repository was removed from public view. This delay in revocation and rotation suggests a lack of synchronization between incident response teams and cloud infrastructure administrators, leaving a window of opportunity for post-discovery intrusions during remediation efforts.

The timeline for the complete rotation of all other passwords exposed in the CSV file has not been officially detailed, nor is it known if CISA initiated a global reset of all involved identities. This two-day interval raises questions about the agency's rapid response capabilities when facing incidents involving its own cloud infrastructure. In a national security context, key management should involve instantaneous invalidation upon the detection of public exposure.

EDITORIAL ANALYSIS: Shadow IT and Contractor Governance

An analysis of the commit logs reveals that the contractor had entered explicit commands to disable GitHub's secret detection feature. This native protection is designed to automatically intercept tokens and passwords; bypassing it intentionally indicates a willingness to circumvent security protocols to facilitate a personal workflow. GitGuardian was unable to generate a timely alert because the user had silenced notifications at the source.

The contractor's behavior does not appear to reflect malicious intent, but rather a classic case of "Shadow IT": using GitHub as a "scratchpad" to sync data between home and work devices. This effectively turns a collaborator's personal computer into an unprotected extension of the federal network. The risk extends to the supply chain: with artifactory credentials exposed, an attacker could move laterally and compromise software packages before distribution.

Internal Artifactory Access and Supply Chain Risks

The presence of credentials for CISA’s internal artifactory within the leak adds a software supply chain dimension to the risk. The artifactory serves as the hub where packages and libraries used to assemble government software are stored. Access to this system theoretically allows an attacker to alter source code or replace legitimate artifacts with compromised versions containing backdoors or silent malware, which would then be automatically deployed across federal systems.

"That would be a prime place to move laterally. Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right." — Philippe Caturegli, Seralys

While there is currently no evidence of malicious access to the artifactory, the mere technical possibility that an attacker could have acted undisturbed for months is a source of extreme concern. The coexistence of cloud tokens, plaintext system passwords, and development keys in the same public repository suggests a total lack of privilege segmentation. While the contractor's identity has not been released, the firm Nightwing is now under scrutiny regarding its internal security policies.

Mitigation and Governance Best Practices

For CISOs, federal contractors, and security auditors, the CISA incident necessitates an immediate review of secret management procedures. The following operational checklist should be considered:

Continuous Repository Auditing: Implement systematic scans of GitHub, GitLab, and Bitbucket, covering not only corporate repositories but also known public profiles of contractors and consultants with access to critical infrastructure.
Centralized IAM Policy: Eliminate the use of long-term AWS keys in favor of IAM roles and temporary tokens. Technically prevent authentication via static credentials wherever possible.
Immediate Revocation Protocols: Define "kill switch" protocols to ensure compromised credentials are revoked within minutes of a leak being detected.
Prohibition of Personal Synchronization: Contractually enforce a ban on using public cloud synchronization tools for data or configurations related to government projects.
Build Integrity Verification: Perform checksum comparisons for all artifacts in internal artifactories to rule out any manipulations that may have occurred during the six-month exposure window.

The incident affecting CISA is not a technological defeat caused by a zero-day vulnerability, but the result of identity governance failing in the face of individual habits. The maturity of an organization is measured not only by the quality of its firewalls but by its ability to prevent the intentional bypass of a single native control from jeopardizing an entire government cloud infrastructure and public trust.

Q&A

Why did the AWS keys remain valid for 48 hours after the repository was removed?

No official reason has been provided. The delay suggests a latency in internal incident response processes or a failure in timely communication between external researchers and CISA’s AWS GovCloud administrators during the critical revocation phase.

What is the specific risk of the artifactory exposure?

The exposure of artifactory credentials potentially allows for the injection of malicious code into software builds. This could transform a simple credential leak into a large-scale supply chain attack, where malware is distributed as a legitimate update.

Information has been verified against the cited sources and is current as of the time of publication.