CISA Contractor Leaked AWS GovCloud Keys on GitHub for Six Months

A contractor working for the U.S. Cybersecurity & Infrastructure Security Agency maintained a public GitHub repository that exposed administrative credentials for multiple AWS GovCloud environments and a large number of internal CISA systems for approximately six months — from November 13, 2025 until May 18, 2026. The repository, named "Private-CISA," was maintained by an employee of Nightwing, a government contractor headquartered in Dulles, Virginia, and contained plaintext passwords, API tokens, and operational infrastructure details that security experts have described as representing one of the most egregious government data leaks in recent history. Congress is now demanding answers.

// 01 What Was Exposed

The public GitHub repository maintained by the Nightwing contractor contained:

• Administrative credentials for three AWS GovCloud environments — AWS GovCloud is Amazon's dedicated cloud infrastructure for U.S. government workloads that require compliance with FedRAMP (Federal Risk and Authorization Management Program — the U.S. government's cloud security standards framework), ITAR (International Traffic in Arms Regulations), and other federal data handling requirements. Administrative credentials to GovCloud environments provide broad access to stored data, compute infrastructure, and networking configurations.
• Plaintext passwords for internal CISA systems — multiple systems beyond the AWS environments, suggesting the repository served as an informal credential store or deployment documentation resource.
• API tokens and logs — authentication tokens that provide programmatic access to systems, and operational logs that reveal internal system architecture.
• Infrastructure blueprints — files detailing how CISA builds, tests, and deploys software internally, providing an attacker with a detailed map of CISA's development and operations infrastructure.

Security experts contacted by KrebsOnSecurity assessed the exposure as exceptionally severe: the combination of cloud credentials, plaintext passwords, and architectural documentation provides an attacker with both the keys and the map to CISA's internal systems — the agency responsible for defending U.S. critical infrastructure from exactly this type of attack.

The repository was discovered by GitGuardian (a secrets detection company that continuously monitors public repositories for accidental credential exposure). GitGuardian's scanning infrastructure flagged the "Private-CISA" repository and notified appropriate parties, triggering the containment response.

// 02 Timeline and Scope

| Date | Event | |—|—| | November 13, 2025 | Repository "Private-CISA" created on GitHub by Nightwing contractor | | November 2025 – May 2026 | Credentials remain publicly accessible on GitHub | | May 18, 2026 | Repository identified; containment begins | | May 19, 2026 | Sen. Maggie Hassan requests urgent classified briefing from acting CISA Director | | May 20–21, 2026 | KrebsOnSecurity and Schneier on Security publish reports | | May 22, 2026 | House Committee on Homeland Security senior Democrats demand briefing; CISA still working to invalidate leaked credentials |

The six-month exposure window is significant. During this period, any actor who discovered the repository — whether through automated scanning tools like truffleHog (an open-source tool that searches Git history for secrets) or GitGuardian, or through manual discovery — would have had persistent access to the exposed systems.

// 03 Congressional Inquiry

The political response has been swift. Senator Maggie Hassan (D-NH) sent a formal request to acting CISA Director Nick Andersen demanding an urgent classified briefing on the incident. Senior Democrats on the House Committee on Homeland Security separately demanded a briefing from Andersen.

CyberScoop reports that the congressional inquiries are focused on three areas: how the exposure occurred and was not detected internally, what data or systems may have been accessed during the six-month window, and what systemic changes CISA is implementing to prevent recurrence.

The incident is particularly politically sensitive given CISA's mandate: the agency is responsible for securing the federal civilian enterprise and advising both government and private-sector organisations on security best practices. A sustained credential exposure of this nature within CISA's own contractor ecosystem undermines the agency's credibility and raises questions about the security of contractor oversight programmes.

// 04 CISA's Response

As of May 22, 2026, CISA is still working to contain the breach and invalidate all leaked credentials, per reporting from Krebs on Security. The agency has not yet confirmed whether the exposed credentials were accessed by unauthorised parties during the six-month exposure window. A full forensic investigation — necessary to determine whether any CISA systems were accessed, exfiltrated, or modified — is expected to take weeks.

CISA declined to provide detailed comment to media outlets beyond confirming awareness of the incident and the ongoing remediation effort.

// 05 What You Should Do Right Now

This incident directly affects CISA and its contractor ecosystem, but it has broader implications for organisations that rely on CISA advisories, threat intelligence, and tools:

• CISA partner organisations should verify out-of-band — if your organisation integrates with CISA systems via API tokens or shared credentials, verify the integrity of those integrations and rotate any credentials that originate from CISA-provided infrastructure.
• Use this incident as an internal audit trigger — review your own organisation's GitHub repositories (public and private) for accidentally committed credentials. Tools like truffleHog (pip install trufflehog && trufflehog git <repo_url>), GitLeaks, or Semgrep can scan repository history for secrets.
• Implement secrets scanning in CI/CD pipelines — every commit should be scanned for secrets before being pushed to any repository, public or private. GitHub's own secret scanning feature can be enabled for free on public repositories; enterprise equivalents include GitGuardian and Spectral.
• Never use plaintext credentials in repository files — use secrets management systems (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault) and inject credentials at runtime via environment variables, not hardcoded files.
• Contractor security requirements need teeth — if your organisation uses contractors who access sensitive systems, include explicit secrets management and code review requirements in contracts, and audit compliance regularly.

// 06 Background: Understanding the Risk

The "Private-CISA" exposure illustrates a risk that affects virtually every organisation that uses version control: developers and system administrators routinely commit credentials alongside configuration files, treating repository access controls as a sufficient security boundary. In CISA's case, the repository was public — the most severe possible exposure — but even private repositories pose substantial risk if credentials rotate slowly, if the repository is ever inadvertently made public, or if a repository collaborator's account is compromised.

AWS GovCloud credentials are not ordinary cloud credentials. GovCloud environments host data with national security implications, and administrative access to GovCloud infrastructure can provide access to workloads that would otherwise require significant clearance and vetting to reach through physical or network controls. The exposure of GovCloud administrative keys is equivalent, in some architectures, to giving an attacker direct access to the government's most sensitive cloud-hosted data and applications.

Bruce Schneier's commentary frames the incident as a systemic failure: "Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history." The architectural details in the repository are arguably as damaging as the credentials themselves — they allow an attacker who has separately obtained credentials to operate within CISA's infrastructure with far greater effectiveness than credentials alone would provide.

The Nightwing contractor model is common across the federal government: contractors often build and maintain internal systems with significant autonomy, and their personal development practices — including how they handle secrets — may not be subject to the same rigorous oversight as full-time agency employees. This incident is likely to accelerate conversations about mandatory secrets scanning and code review standards for all contractors with access to government cloud environments.

// 07 Conclusion

A six-month public exposure of CISA's AWS GovCloud credentials, plaintext system passwords, and internal infrastructure details by a Nightwing contractor represents one of the most significant government security incidents of 2026. CISA is still working to contain the breach while facing congressional scrutiny. For every organisation that handles sensitive credentials: audit your repositories for committed secrets today, implement pre-commit secrets scanning, and treat your version control system as part of your attack surface.