CISA Contractor Exposes AWS GovCloud Keys in Public GitHub Repo for Months |
WASHINGTON — A contractor working for the Cybersecurity and Infrastructure Security Agency inadvertently exposed highly sensitive administrative credentials for multiple AWS GovCloud accounts and dozens of internal CISA systems on a public GitHub repository for at least six months, security researchers said Monday.
The breach, described by experts as one of the most serious government data leaks in recent years, involved plaintext passwords, cloud access tokens and detailed files showing how CISA builds, tests and deploys internal software. The repository remained publicly accessible until it was taken offline over the weekend after researchers notified the agency.
Guillaume Valadon, a researcher with GitGuardian, first flagged the exposure. His firm continuously scans public code repositories for leaked secrets. Valadon said he attempted to contact the repository owner before reaching out to CISA after receiving no response. A second researcher, Philippe Caturegli of Seralys, independently validated several of the exposed credentials.
The now-deleted repository, named "Private-CISA," was maintained by an employee of Nightwing, a government contractor based in Dulles, Virginia. It contained files such as "importantAWStokens" that granted high-level administrative access to at least three AWS GovCloud environments used by CISA. Another file, "AWS-Workspace-Firefox-Passwords.csv," listed plaintext usernames and passwords for numerous internal agency systems, including what appeared to be a secure development environment called "LZ-DSO."
Security experts who reviewed the exposed material expressed alarm at the scale and carelessness of the leak. Caturegli noted that the repository owner had deliberately disabled GitHub's built-in secret scanning feature, stored passwords in........