Bottom line: A CISA contractor stored administrative AWS GovCloud credentials, plaintext passwords, and access tokens in a public GitHub repository after intentionally disabling GitHub’s native secrets detection.
A contractor for the US Cybersecurity & Infrastructure Security Agency (CISA) published a public GitHub repository through May 2026 containing administrative AWS access credentials and internal CISA system access data. A security officer at the US agency intentionally halved the security of one of the federal government’s most critical systems.
The publicly accessible repository “Private-CISA” contained a wealth of sensitive materials: AWS keys with administrative rights for three GovCloud accounts, plaintext passwords in CSV files, authentication tokens, logs, and access data for internal CISA systems. A file named “AWS-Workspace-Firefox-Passwords.csv” listed usernames and passwords for dozens of CISA-internal systems, including the “LZ-DSO” system (Landing Zone DevSecOps), CISA’s environment for secure code development.
Security researcher Guillaume Valadon from GitGuardian discovered the repo in mid-May and contacted CISA after the account was shut down. Valadon documented that the CISA administrator had explicitly disabled GitHub’s standard security settings, which automatically block the publication of SSH keys and secrets in public repositories. Passwords were stored unencrypted, and backups were directly accessible in Git history.
Philippe Caturegli, founder of security consulting firm Seralys, validated the functionality of the exposed credentials. The AWS keys successfully authenticated with high privileges against the GovCloud accounts. Furthermore, the repository disclosed plaintext login credentials for CISA’s “Artifactory” — a central repository of all software packages used for software development. Caturegli characterized this as a critical lateral movement vector: manipulation of individual software packages could compromise a base permission system across all downstream CISA systems.
The Git metadata suggests that the CISA employee used the repository as a private work and synchronization tool across different environments, rather than as a thoughtfully designed project repository. The simultaneous use of a CISA-associated email address and a private address points to poorly conceived configuration. Security experts assessed the incident as one of the most severe data breaches at the US federal government in recent years.
Source: krebsonsecurity.com · Published May 18, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.2.0.