GitGuardian researcher Guillaume Valadon has seen plenty of leaked credentials in his career scanning public repositories. But when he discovered a CISA contractor’s “Private-CISA” GitHub repo stuffed with government secrets, even he was shocked. “This is the worst leak that I’ve witnessed in my career,” he told KrebsOnSecurity. The irony cuts deep: America’s cybersecurity watchdog left its own digital keys sitting in public view.
The exposed treasure trove included:
- AWS GovCloud administrative credentials
- Plaintext passwords to internal CISA systems
- Access tokens to the agency’s secure development environment
For six months, anyone with basic GitHub search skills could have accessed a file literally named “importantAWStokens” containing keys to three government cloud servers.
When the Cyber Cops Need Better Locks
The contractor’s personal file-syncing method created a massive security vulnerability.
The contractor used the public repository as a personal file sync between work and home computers—essentially treating GitHub like a more dangerous version of emailing yourself work files. The exposed data included passwords stored in CSV files for “dozens of internal CISA systems,” including LZ-DSO, CISA’s secure DevSecOps environment where the agency builds tools to protect everyone else.
Marco Caturegli, CEO of security firm Seralys, validated that the credentials actually worked, granting high-privilege access to government cloud infrastructure. Even after GitHub removed the repository, those AWS keys remained valid for another 48 hours—a window where any attacker who’d already copied them could have caused serious damage.
The Bigger Security Picture
This incident exposes the same vulnerabilities CISA recently warned other agencies about.
This leak stings particularly because CISA recently warned agencies about GitHub supply-chain attacks that exposed thousands of secrets through compromised CI/CD workflows. The agency added CVE-2025-30066 to its Known Exploited Vulnerabilities catalog after attackers used malicious GitHub Actions to harvest AWS keys and tokens from public logs. Yet here’s CISA’s own contractor committing the same fundamental mistake: putting secrets where they don’t belong.
The timing couldn’t be worse for an agency already facing leadership turbulence and budget pressures under Trump’s second term. While CISA sends thousands of ransomware warnings to protect critical infrastructure, its contractor ecosystem apparently operates with the same risky habits plaguing the rest of the developer world.
CISA claims there’s “no indication that any sensitive data was compromised,” but security experts remain skeptical. When your nation’s cyber defense headquarters treats GitHub like a personal cloud drive, the problem runs deeper than one contractor’s bad judgment. This leak reveals systemic gaps in secrets management that automated scanning and stronger policies could have prevented.
