Particle.news
Download on the App Store
11 ARTICLES
·
3w ago

CISA Contractor Left AWS GovCloud Keys and Internal Passwords in Public GitHub Repo

The leak triggered an agency investigation and congressional briefing requests as officials verify credential rotation and possible system access.

Image
Image
CANADA - 2025/10/12: In this photo illustration, the United States Cybersecurity and Infrastructure Security Agency (CISA) logo is seen displayed on a smartphone screen. (Photo Illustration by Thomas Fuller/SOPA Images/LightRocket via Getty Images)
Image

Overview

  • A public GitHub repository called “Private-CISA,” maintained by a contractor, was discovered by GitGuardian on May 14 and taken offline roughly 26 hours later on May 15 after reporters and CISA were notified.
  • Researchers found the repo held about 844 MB of data including plaintext passwords, administrative credentials for three AWS GovCloud accounts, CI/CD build logs, Kubernetes manifests, Terraform code, and other deployment artifacts.
  • Independent testing by security consultants showed some exposed AWS keys could authenticate at high privilege and remained valid for about 48 hours after the repository was deactivated.
  • Nightwing, the contractor identified in reporting, deferred to CISA as the agency investigates which credentials were revoked or rotated and said there is currently no indication that data were compromised.
  • Top Democrats on the House Homeland Security Committee and a U.S. senator have demanded briefings, and experts warn the leak highlights gaps in contractor oversight, secret-scanning controls, and risks to the software supply chain.