CISA GitHub Leak Exposed AWS Tokens and Passwords

A major security incident involving the US Cybersecurity and Infrastructure Security Agency has sparked concern across the cybersecurity industry. Researchers discovered a public GitHub repository containing plaintext passwords, AWS GovCloud tokens, internal deployment files, and authentication credentials tied to CISA infrastructure.

The exposed repository reportedly stayed public for months before researchers pushed for its removal. Security experts described the incident as a serious operational security failure involving one of the United States’ leading cybersecurity agencies.

Public GitHub Repository Contained Sensitive Credentials

Researchers at GitGuardian discovered a public GitHub repository named “Private-CISA” that reportedly exposed around 844 MB of sensitive internal data. The repository allegedly contained plaintext passwords, AWS GovCloud credentials, authentication tokens, Entra ID SAML certificates, and internal operational files connected to CISA systems.

Investigators also found Kubernetes manifests, Terraform configurations, CI/CD logs, GitHub Actions workflows, infrastructure scripts, and backup documentation. According to researchers, the files provided unusually detailed visibility into cloud infrastructure and deployment processes tied to government systems.

GitGuardian researcher Guillaume Valadon initially suspected the repository might be fake because of how openly the credentials appeared online. However, further investigation reportedly confirmed the material was authentic.

Reports indicate the repository remained publicly accessible since November 2025 before finally being removed in May 2026.

Weak Credential Practices Increased Security Risks

Researchers said the exposed repository revealed multiple examples of poor credential management practices. Some passwords reportedly followed predictable naming structures based on platform names and calendar years.

The leak also allegedly included spreadsheets containing plaintext usernames and passwords for internal systems. Researchers further claimed that GitHub’s secret-scanning protections had been disabled for the repository, preventing automated warnings about exposed credentials.

Security experts warned that attackers could have potentially accessed cloud infrastructure, internal repositories, CI/CD systems, and deployment environments during the exposure period. Some credentials reportedly remained active even after the repository was removed.

The incident attracted widespread criticism because CISA serves as the primary US federal agency responsible for cybersecurity guidance and infrastructure protection.

Contractor Connection Raises More Questions

Reports linked the repository to a contractor connected to CISA operations. According to cybersecurity journalist Brian Krebs, the repository was allegedly maintained by an employee associated with Virginia-based government contractor Nightwing.

Researchers reportedly attempted to contact the repository owner several times before escalating the matter through CERT/CC and government communication channels. GitGuardian stated that the repository was finally removed roughly 26 hours after direct communication reached CISA officials.

CISA later acknowledged awareness of the exposure and stated that investigators had not found evidence showing malicious exploitation tied to the leaked files. The agency also said it planned to implement additional safeguards to prevent similar incidents in the future.

Leak Highlights Ongoing Cloud Security Problems

The CISA GitHub leak highlights broader security problems affecting cloud infrastructure, software supply chains, and automated deployment systems. Public repositories continue to expose secrets, API keys, authentication tokens, and sensitive configuration files across both government and private sectors.

Researchers warned that leaked infrastructure files can still provide valuable intelligence even if credentials later become invalid. Internal workflows, deployment structures, and configuration details may help attackers map environments and identify future attack paths.

The incident also demonstrates how human error and weak operational security practices continue to create major cybersecurity risks despite advanced defensive technologies.

Conclusion

The CISA GitHub leak exposed plaintext passwords, AWS tokens, and sensitive infrastructure files through a public repository that reportedly remained online for months. Researchers described the exposure as a major operational security failure involving critical government systems.

The incident also reinforces growing concerns around credential management, contractor oversight, and cloud security practices. As organizations rely more heavily on automated infrastructure and cloud services, exposed repositories continue to create serious risks across the cybersecurity landscape.