CISA Contractor GitHub Repository Exposed AWS GovCloud Keys and Internal Credentials
A public GitHub repository tied to a contractor supporting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) exposed plaintext passwords, access tokens, cloud keys, logs, spreadsheets, and deployment files that could provide access to CISA and Department of Homeland Security internal and cloud systems. Researchers from GitGuardian and Seralys reported that the repository, named "Private-CISA", contained administrative credentials for three AWS GovCloud accounts as well as numerous credentials for internal CISA systems; some of the exposed secrets were verified as valid.
The repository was reportedly linked to a Nightwing employee and appears to have been used as an informal working scratchpad rather than a controlled code repository, with commit history indicating GitHub secret-scanning protections had been disabled. After alerts to the contractor reportedly went unanswered, the issue was escalated and the GitHub account was taken offline, but exposed AWS keys were said to remain valid for roughly 48 hours after disclosure. CISA said it is investigating and that it had no indication the credentials were abused, though the incident represents a significant security lapse at the federal agency responsible for civilian cybersecurity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
CISA still rotating exposed credentials more than a week after notification
Researchers said that more than a week after GitGuardian notified CISA of the exposed repository, the agency was still revoking and rotating leaked credentials. The remaining remediation reportedly included an RSA private key that could have enabled broad access to CISA's GitHub environment and CI/CD infrastructure.
Congressional Democrats demand briefings from CISA over credential leak
Lawmakers including Rep. Bennie Thompson, Rep. Delia Ramirez, and Sen. Maggie Hassan requested briefings from acting CISA Director Nick Andersen on the cause, impact, remediation, and oversight failures tied to the exposed GitHub repository. The request marked a congressional oversight response to the incident.
CISA says it is investigating and sees no evidence of compromise
CISA acknowledged the exposure and said it was investigating the incident. The agency stated there was no indication that sensitive data had been compromised as a result of the leak.
Contractor GitHub account is taken offline after notification
Following notification about the exposed repository, the contractor's GitHub account was removed from public access. Despite that action, reports said some exposed AWS GovCloud credentials remained valid for about 48 hours afterward.
Researchers escalate after contractor fails to respond to alerts
After attempts to notify the contractor about the exposed secrets did not receive a response, the researchers escalated the issue to prompt remediation. The exposure was characterized by one researcher as among the worst credential leaks he had seen.
Researchers discover exposed CISA and DHS credentials in GitHub repo
Security researchers from GitGuardian and Seralys found a public repository containing plaintext passwords, access tokens, AWS GovCloud keys, logs, spreadsheets, and deployment information tied to CISA and Department of Homeland Security systems. Some of the exposed credentials were verified as valid, indicating potential access to internal and cloud environments.
GitGuardian researcher discovers exposed 'Private-CISA' repo
GitGuardian researcher Guillaume Valadon found a publicly accessible GitHub repository named 'Private-CISA' containing extensive CISA-related secrets and infrastructure material. He reported the exposure to CISA on May 14 after determining the repository had been publicly accessible for roughly six months.
Contractor creates public GitHub repository tied to CISA work
A GitHub repository later identified as exposing sensitive CISA-related data was reportedly created by a contractor employee and linked to work supporting CISA. The repository was created publicly and became the location where credentials and operational files accumulated.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
22 references tracked. Mallory keeps watching after this page renders.
Sponsored: Inside CISA's disastrous secrets leak - Risky Business Media
risky.biz
Open source‘The Worst Leak I’ve Witnessed’: A CISA Contractor Left AWS GovCloud Credentials Sitting In A Public GitHub Repo | Techdirt
techdirt.com
Open sourceCISA хранила учетные данные и другие секреты в открытом репозитории на GitHub - Хакер
xakep.ru
Open sourceLawmakers Demand Answers as CISA Tries to Contain Data Leak - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceCISA Exposes Secrets, Credentials in 'Private' Repo
darkreading.com
Open sourceContractor’s public GitHub account exposed GovCloud and CISA credentials | CIO
cio.com
Open sourceSenator requests classified briefing on CISA credentials leak
axios.com
Open sourceCISA Admin Leaked AWS GovCloud Keys on Github - Krebs on Security
krebsonsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CMI Management Leak Exposed U.S. Military Base Files in Public Directory
A publicly accessible directory tied to U.S. government contractor **CMI Management Inc.** exposed more than **70,000 files** linked to U.S. military installations and personnel. Reports say the contractor, which provides facility management services to the **U.S. Army**, left records openly available for months through an open directory listing, allowing access to sensitive material including personnel records, contractor documents, maintenance forms, emails, schematics, and photographs taken inside military bases. The leak created risks including **phishing, impersonation, and intelligence gathering** against military facilities and staff. Researcher **Arkadeep Roy** reportedly alerted **CISA** in 2024 after the exposure was identified following a tip to Cybernews, but the files remained accessible as recently as March 2026, underscoring how long-lived misconfigurations at defense contractors can leave operationally sensitive government data exposed.
May 8, 2026
CISA Acting Director Uploaded Sensitive Government Files to Public ChatGPT
**Madhu Gottumukkala**, the acting director of the Cybersecurity and Infrastructure Security Agency (CISA), uploaded sensitive U.S. government contracting documents marked **“for official use only”** into a publicly accessible version of **ChatGPT**, according to reporting citing multiple Department of Homeland Security (DHS) officials. Although the materials were not classified, CISA cybersecurity sensors detected the activity in August and generated multiple automated alerts intended to prevent data loss or mishandling, prompting a DHS-level internal review to assess potential exposure and impact; the outcome of that review has not been made public. CISA’s public affairs office said Gottumukkala had been granted a temporary, authorized exception to use ChatGPT “with DHS controls in place,” describing the use as short-term and limited, while also disputing aspects of the reported timeline (stating his last use was in mid-July 2025 and that ChatGPT remains blocked by default unless an exception is granted). The incident highlights the risk that content entered into a public AI service may be shared with the service provider and potentially used to improve responses for other users, contrasting with DHS-approved internal tools (e.g., *DHSChat*) designed to keep inputs within federal networks.
Mar 21, 2026
Home Depot Internal Systems Exposed via Leaked GitHub Token
A security researcher discovered that a Home Depot employee had inadvertently published a private GitHub access token online, which remained exposed for approximately a year. The token granted access to hundreds of private source code repositories, as well as critical internal systems such as order fulfillment, inventory management, and code development pipelines. The researcher attempted to alert Home Depot multiple times but received no response until the issue was escalated through media contact, after which the exposure was remediated. The exposed credential provided not only read but also write permissions to sensitive repositories and cloud infrastructure, significantly increasing the risk of unauthorized modifications or data breaches. Home Depot has since removed the leaked token from public view, but the incident highlights the dangers of credential leakage and the importance of timely response to security disclosures. The company has hosted much of its developer infrastructure on GitHub since 2015, making such exposures particularly impactful.
Mar 21, 2026