Full Report
Congress wants answers from the Cybersecurity and Infrastructure Security Agency about the reported public exposure of sensitive agency credential data on GitHub in an incident that the security researcher who discovered it called one of the worst leaks he’s ever seen. Other security professionals also voiced concern Tuesday about the leak and the potential for…
Analysis Summary
# Incident Report: Exposure of CISA AWS GovCloud and Internal System Credentials
## Executive Summary
A cybersecurity contractor for the Cybersecurity and Infrastructure Security Agency (CISA) inadvertently exposed highly sensitive credentials through a public GitHub repository. The leak included privileged access keys for AWS GovCloud accounts and internal CISA systems, potentially dating back to November 2025. The incident has triggered a congressional inquiry due to the "worst ever" scale of the leak and the high risk of abuse by malicious actors.
## Incident Details
- **Discovery Date:** Week of May 11, 2026
- **Incident Date:** Exposure began approximately November 2025
- **Affected Organization:** Cybersecurity and Infrastructure Security Agency (CISA)
- **Sector:** Government / Public Sector
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** November 2025 (Estimated initiation of exposure)
- **Vector:** Incorrect repository permission settings (Public exposure)
- **Details:** A repository titled "Private-CISA," apparently maintained by a third-party contractor, was set to "Public" on GitHub, making its contents indexed and searchable.
### Lateral Movement
- **Details:** While no direct evidence of malicious lateral movement was confirmed in the report, the exposed credentials provided the *capability* for attackers to move from public GitHub code to privileged AWS GovCloud environments and internal agency systems.
### Data Exfiltration/Impact
- **Details:** The primary impact was the exposure of administrative secrets, including AWS GovCloud keys and internal system credentials. The sensitivity of the accounts involves high-privilege access to mission-critical government infrastructure.
### Detection & Response
- **How it was discovered:** Security firm GitGuardian identified the credentials during routine automated scanning of public repositories.
- **Response actions taken:** Congress demanded a briefing from CISA Acting Director Nick Andersen. Security researchers flagged the leak for remediation, though specific internal CISA containment steps were not detailed in the source.
## Attack Methodology
- **Initial Access:** Misconfiguration/Human Error (Contractor pushed secrets to a public repository).
- **Persistence:** Long-term exposure (the data was available for several months).
- **Privilege Escalation:** Exposed "privileged" keys allowed for immediate high-level access without transition.
- **Defense Evasion:** Not applicable as this was an accidental leak; however, the use of a seemingly "personal" or mislabeled "Private-CISA" repo effectively hid the data in plain sight.
- **Credential Access:** Plaintext credentials and API keys stored in source code.
- **Discovery:** Automated secret scanning (used by researchers/potential attackers).
- **Lateral Movement:** Cloud-to-Internal system pivoting facilitated by exposed keys.
- **Collection:** GitHub repository cloning.
- **Exfiltration:** Public disclosure/cloning by unauthorized parties.
- **Impact:** Potential for total compromise of government cloud environments.
## Impact Assessment
- **Financial:** Unknown; potential costs related to incident response, auditing, and rotation of thousands of credentials.
- **Data Breach:** Exposure of privileged administrative credentials (identity-based breach).
- **Operational:** High risk to the integrity of internal CISA infrastructure and GovCloud services used by other agencies.
- **Reputational:** Severe; as the federal lead for cybersecurity, CISA's failure to prevent a basic credential leak via a contractor undermines its authority.
## Indicators of Compromise
- **Network indicators:** Activity involving unauthorized IPs accessing AWS GovCloud via administrative keys.
- **File indicators:** Repository name `Private-CISA` on `github[.]com`.
- **Behavioral indicators:** Creation of unauthorized IAM roles or unusual data access patterns in GovCloud.
## Response Actions
- **Containment measures:** Identification and removal of the public GitHub repository.
- **Eradication steps:** Revocation and rotation of all exposed AWS GovCloud keys and internal system passwords.
- **Recovery actions:** Forensic audit of cloud logs to determine if unauthorized parties utilized the keys during the exposure window.
## Lessons Learned
- **Key takeaways:** Secret management is only as strong as the weakest link in the vendor/contractor chain.
- **What could have been done better:** Implementation of automated "secret-scanning" as a pre-commit hook by the contractor and mandatory organizational policies prohibiting the use of personal GitHub accounts for agency work.
## Recommendations
- **Zero Trust Architecture:** Implement short-lived credentials (IAM roles) rather than long-lived static API keys.
- **Contractor Oversight:** Enforce strict contractual requirements for secret management and periodic security audits of contractor-maintained codebases.
- **Automated Detection:** Deploy tools like GitGuardian or GitHub Secret Scanning across all agency-related environments to detect leaks in real-time.