CISA Faces Congressional Scrutiny After Months-Long AWS GovCloud Credential Leak on GitHub

Senator Maggie Hassan has issued a formal letter to CISA’s Acting Director, Nick Andersen, demanding a classified briefing and written responses by June 5. This marks the most significant congressional escalation since the May 14 discovery of a public GitHub repository titled "Private-CISA." For nearly six months, the repository exposed AWS GovCloud credentials, plaintext passwords, and internal secrets, turning a major technical failure into a high-stakes test of political accountability for the nation’s lead cybersecurity agency.

Inside the 'Private-CISA' Repository

According to GitHub metadata, the repository was created on November 13, 2025, and presented an exceptionally broad attack surface. Beyond the 844MB of total data, it contained a file named 'AWS-Workspace-Firefox-Passwords.csv' housing internal plaintext credentials, an 'importantAWStokens' file with admin credentials, and a directory titled 'ENTRA ID - SAML Certificates/' containing certificates for federated authentication.

Guillaume Valadon, the GitGuardian researcher who first identified the repository, characterized the exposure as the "worst leak" of his career. In a technical analysis, he noted that the material provided "a detailed view into the agency's cloud infrastructure, deployment flows, software supply-chain tools, and internal operational practices."

The nature of the data—which included not just isolated credentials but blueprints of the entire operational stack—makes this incident qualitatively different from a standard API key exposure. The leaked CI/CD logs and Kubernetes manifests could have allowed a threat actor to map CISA’s system architecture and identify entry points for lateral movement.

Active Keys and Bypassed Security Controls

The risk was not limited to historical exposure. Philippe Caturegli, an independent researcher at Seralys, technically validated the exposed AWS keys and confirmed they could authenticate to three high-privilege AWS GovCloud accounts. Most alarming was the response timeline: the keys remained valid for roughly 48 hours after CISA removed the repository, leaving a window of vulnerability despite the agency’s intervention.

Further complicating the matter, commit logs revealed explicit commands to bypass GitHub’s default blocking of SSH keys and secrets. This indicates that whoever managed the repository was aware of existing security controls and made an active decision to circumvent them. Furthermore, passwords followed predictable patterns—such as the platform name followed by the current year—rendering them trivial to brute-force.

"Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature [...] This is indeed the worst leak that I've witnessed in my career." — Guillaume Valadon, GitGuardian

Caturegli highlighted the potential supply chain consequences: "It would be an ideal place to move laterally [...] Backdoor some software packages, and every time they build something new, they distribute your backdoor left and right." While not describing a confirmed attack, this illustrates the threat model enabled by the nature of the exposed data.

Congressional Escalation: Hassan’s 12 Questions

Senator Hassan’s letter, dated May 19, represents the political escalation of the incident. The New Hampshire Democrat is requesting a classified briefing and 12 specific written answers, setting a June 5 deadline. Her tone was pointed: "These reports raise serious concerns regarding CISA’s internal policies and procedures at a time of significant cybersecurity threats to United States critical infrastructure."

Hassan is not alone in her concern. Bennie Thompson, Ranking Member of the Homeland Security Committee, and Delia Ramirez, Ranking Member of the Cybersecurity Subcommittee, had previously requested a briefing on how the lapse occurred and what corrective actions are being taken. This bipartisan pressure suggests the incident may serve as legislative leverage, particularly as CISA navigates 2026 personnel and budget cuts.

CISA’s official position remains that no actual compromise has been detected. An agency spokesperson stated: "At this time, there are no indications that sensitive data has been compromised as a result of this incident." The agency added that it is implementing "additional safeguards," though it did not specify their nature.

Operational Recommendations and Best Practices

For organizations managing critical infrastructure or partnering with government contractors, the incident provides an immediate framework for risk mitigation:

• Enforce GitHub Secrets Protection: Ensure that public and private repositories do not have local overrides for detection controls. Secret blocking should be enforced at the organizational level with no exceptions for individual users.
• Audit Cloud Credentials and Force Rotation: Exposed keys must be revoked immediately. Organizations must also perform active verification of invalidation across cloud services, as propagation can sometimes take hours or days.
• Inspect Personal Sync Repositories: Audit whether employees or contractors are using GitHub as a "scratchpad" for backups or operational file syncing—a practice not confirmed as authorized by either CISA or Nightwing.
• Validate Enterprise Password Schemas: Eliminate predictable patterns (e.g., ServiceName+Year) and implement random generation via enterprise credential managers for all cloud and administrative access.

The Accountability Test: CISA’s Governance Gap

This incident highlights a structural contradiction: CISA is the agency tasked with prescribing cybersecurity standards for the rest of the nation, yet this leak occurred within its own supply chain. The repository managed by a Nightwing contractor—whose exact role within CISA has not been made public—operated for months using practices that violate fundamental secret management principles.

The nearly six-month duration of the exposure raises questions about the third-party oversight CISA applies to its vendors. It remains unknown if the practice of syncing data to GitHub was authorized or even known by the contractor’s supervisors. This governance "gray zone" is likely at the heart of Hassan’s 12 questions.

Internal U.S. politics adds another layer of pressure. While some members of Congress have pointed to CISA’s 2026 budget and personnel cuts as a potential contributing factor, there is currently no evidence linking those cuts directly to the repository’s management. However, the timing makes it inevitable that the leak will be used as a talking point in debates over agency funding.

Finally, there remains a lack of visibility into whether any unauthorized actors accessed the data during the exposure window. Without conclusive logs of downloads or exploitation, CISA can maintain its stance of "no indication of compromise"—but in the realm of cyber intelligence, the absence of evidence is not necessarily evidence of absence.

Frequently Asked Questions

Why did the AWS keys remain valid after the repository was deleted?

Deleting a GitHub repository does not automatically revoke the credentials contained within it. Key rotation requires a separate administrative action within the cloud provider's console. In this case, that action was not performed immediately, leaving a 48-hour window of risk.

Who is Nightwing and what was their role?

Nightwing is a contractor providing services to CISA. The 'Private-CISA' repository was managed by a Nightwing contractor, but the specific role of that individual and any resulting disciplinary actions have not been disclosed by available sources.

Is this leak linked to CISA’s budget cuts?

While some lawmakers have raised this possibility, there is currently no evidence directly linking budget constraints to the specific failure of secret detection or repository management. It remains a subject of political debate rather than a verified fact.

Sources

• https://therecord.media/hassan-presses-cisa-github-leak
• https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/
• https://cyberscoop.com/cisa-credential-leak-congress-demands-answers/
• https://www.darkreading.com/cybersecurity-operations/cisa-exposes-secrets-credentials-private-repo

Information has been verified against the cited sources and is current as of the time of publication.