Full Report
Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the…
Analysis Summary
# Incident Report: CISA Contractor Credential Leak via Public GitHub
## Executive Summary
A CISA contractor inadvertently exposed highly privileged credentials and internal documentation by maintaining a public GitHub repository titled “Private-CISA.” The leak included AWS GovCloud keys, plaintext passwords, and software deployment secrets, potentially granting unauthorized access to critical government cloud infrastructure. The exposure was identified by security researchers, though the contractor initially failed to respond to automated and manual alerts.
## Incident Details
- **Discovery Date:** May 15, 2026
- **Incident Date:** Ongoing until late May 2026
- **Affected Organization:** Cybersecurity & Infrastructure Security Agency (CISA)
- **Sector:** Government / Critical Infrastructure
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-May 15, 2026
- **Vector:** Intentional but Improper Tool Usage
- **Details:** A contractor created or moved internal CISA files to a public-facing GitHub repository named "Private-CISA," making sensitive secrets accessible to anyone on the internet.
### Lateral Movement
- **Details:** While no specific malicious lateral movement was reported in the article, the leaked credentials (AWS GovCloud keys) provided the direct means for an attacker to move from the public internet into CISA’s secure cloud environments.
### Data Exfiltration/Impact
- **Details:** Exposure of AWS GovCloud keys, cloud tokens, plaintext passwords, internal logs, and documentation detailing how CISA builds, tests, and deploys software.
### Detection & Response
- **Discovery:** Detected by GitGuardian researcher Guillaume Valadon through automated scanning of public repositories.
- **Response Actions:** Researcher attempted to contact the repository owner; following a lack of response, the incident was escalated to KrebsOnSecurity and presumably CISA for remediation and repository takedown.
## Attack Methodology
- **Initial Access:** Publicly accessible Git repository (Leaked Secrets).
- **Persistence:** Not applicable (Incident was a data leak, though credentials could provide long-term access).
- **Privilege Escalation:** Exposed "highly privileged" AWS GovCloud keys.
- **Defense Evasion:** Use of a personal/contractor GitHub account bypassed internal enterprise security controls.
- **Credential Access:** Cloud keys, tokens, and plaintext passwords stored in code and logs.
- **Discovery:** Information regarding internal network architecture and deployment pipelines was included in the leak.
- **Lateral Movement:** Not observed, but enabled via exposed cloud credentials.
- **Collection:** Automated scanning by third-party security researchers/potential threat actors.
- **Exfiltration:** Public availability of data (Self-exfiltration by contractor).
- **Impact:** Compromise of CISA’s build/test/deploy integrity and cloud environment security.
## Impact Assessment
- **Financial:** Unknown; potential costs associated with credential rotation, forensic auditing, and contractor oversight.
- **Data Breach:** Exposure of highly sensitive administrative credentials and internal system architecture.
- **Operational:** Potential disruption required to rotate all affected keys and rebuild trust in deployment pipelines.
- **Reputational:** High; significant embarrassment for the agency responsible for the nation's cybersecurity.
## Indicators of Compromise
- **Network indicators:** hxxps[://]github[.]com/Private-CISA (Defanged)
- **File indicators:** Exposed .env files, cloud configuration scripts, and plaintext log files.
- **Behavioral indicators:** Contractor accounts committing internal secrets to non-enterprise-controlled public repositories.
## Response Actions
- **Containment:** Removal of the "Private-CISA" GitHub repository from public view.
- **Eradication:** Invalidation and rotation of all exposed AWS GovCloud keys, tokens, and passwords.
- **Recovery:** Audit of AWS logs to ensure no unauthorized access occurred during the exposure window.
## Lessons Learned
- **Key Takeaways:** Public repositories remain a primary source of high-impact credential leaks, even for sophisticated agencies.
- **Shortcomings:** The contractor failed to respond to automated security alerts, indicating a lack of monitoring or a failure in the incident response chain of command.
## Recommendations
- **Secrets Management:** Implement automated secrets detection (e.g., pre-commit hooks) on all developer workstations to prevent credentials from being committed to any repository.
- **Policy Enforcement:** Strictly prohibit the use of personal GitHub accounts for government-related code development.
- **Cloud Security:** Move toward short-lived, identity-based credentials (like AWS IAM Roles for tasks) rather than long-lived static access keys.
- **Contractor Oversight:** Mandate security training and continuous monitoring for third-party contractors handling sensitive infrastructure data.