A major security lapse has exposed highly sensitive U.S. government cloud credentials <\/a>after a contractor working with the Cybersecurity and Infrastructure Security Agency (CISA) accidentally published them in a public GitHub repository.<\/p>\n The repository, named \u201cPrivate-CISA,\u201d remained publicly accessible until mid-May 2026 and contained a wide range of sensitive data, including AWS GovCloud credentials, plaintext passwords, API tokens<\/a>, and internal system details.<\/p>\n Security researchers warn that this incident could rank among the most serious government-related data exposures in recent years.<\/p>\n Guillaume Valadon, a researcher at GitGuardian, first identified the issue. This firm continuously scans public repositories for exposed secrets.<\/p>\n According to Valadon, the repository contained \u201cextremely sensitive\u201d information, and attempts to alert the owner went unanswered at first.<\/p>\n The findings were later shared with KrebsOnSecurity, prompting further investigation.<\/p>\n Analysis revealed that the repository included administrative credentials for at least three AWS GovCloud environments, specifically designed to handle sensitive U.S. government workloads.<\/p>\n In addition, a file named \u201cAWS-Workspace-Firefox-Passwords.csv\u201d exposed dozens of plaintext usernames and passwords<\/a> tied to internal CISA systems, including a DevSecOps environment referred to as \u201cLZ-DSO.\u201d<\/p>\n Philippe Caturegli, founder of security consultancy Seralys, confirmed that some of the exposed AWS credentials<\/a> were still valid at the time of discovery and provided high-level access.<\/p>\n He noted that the repository also contained credentials for CISA\u2019s internal \u201cartifactory,\u201d a centralized system for storing and distributing software components.<\/p>\n This type of access could allow attackers to insert malicious code into software pipelines.<\/p>\n For example, if a threat actor compromised the artifactory, they could embed backdoors into legitimate software updates, potentially affecting multiple systems during deployment.<\/p>\n Researchers also highlighted poor security practices within the repository. Sensitive data was stored in plain text, and GitHub\u2019s<\/a> built-in secret scanning protections had been deliberately turned off.<\/p>\n Commit logs suggest the repository may have been used as a personal workspace or a file synchronization tool rather than as a secure development project.<\/p>\n \u201cThe patterns indicate this was likely used to sync files between different machines, possibly a work and home environment,\u201d Caturegli explained. \u201cBut that doesn\u2019t reduce the severity it actually makes it worse.\u201d<\/p>\n KrebsOnSecurity reported that<\/a> the exposed repository was linked to a contractor from Nightwing, a U.S.-based government services firm.<\/p>\n The account had been active since 2018, while the \u201cPrivate-CISA\u201d repository was created in November 2025.<\/p>\n Despite the repository being taken offline shortly after disclosure, the exposed AWS credentials reportedly remained valid for nearly 48 hours afterward, increasing the potential risk window.<\/p>\n CISA acknowledged the incident and stated that it is actively investigating. The agency noted there is currently no evidence of active exploitation but emphasized that additional safeguards are being implemented.<\/p>\n The exposure comes at a challenging time for CISA, which has reportedly lost a significant portion of its workforce due to budget cuts and restructuring.<\/p>\n Security experts warn that such operational pressures can increase the likelihood of misconfigurations and human error.<\/p>\n Overall, the incident underscores a critical lesson in cybersecurity: even highly sensitive environments can be compromised by basic mistakes such as poor credential management and unsafe development practices.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post CISA Admin Exposes AWS GovCloud Credentials on Public GitHub Repository<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nGovCloud Credentials Exposed<\/strong><\/h2>\n
![\"screenshot](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEheCESxr3O4t6dk0Jom1HRY8Wv6vP1HuRBEVrZrEDsmHfJ1P6SpzCTt1QZyUf2_Zp7nLgCovBlhnhFChxaSMshjB3OMgYoihDbyhhykfem5tMW9pPdbMf1vG8OPwel9FghvCDCEfKKmAAPgCcaGJ1hYJ5WBQN2lJmz9p3alEiNuHJByvO5aG6KddYg4gtg\/s1600\/Screenshot%25202026-05-19%2520105718%2520%25281%2529.webp?ssl=1\")
![\"Private](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi-GKvdlLtBiBWFEiukC5CTfGRmVsb_bbzMmNAsP391I1SBepOje44uHbkYYtOqjekuhFTLnWbG_DL67TpjqEVXgSPaOxU3lnB6y6Fi6CTVX2w-3qsOMTkb7nrT0x6cxRdTo8ch4YSZjdvKYsL9zhNssRuQMfcj_BdvImj2MtplJhmVxObiIxEFmzpiKRM\/s1600\/Screenshot%25202026-05-19%2520105729%2520%25281%2529.webp?ssl=1\")