Massive Cisa data leak exposes internal systems and AWS keys
The Cybersecurity and Infrastructure Security Agency (CISA) is facing one of the most embarrassing data security blunders in recent government history. A contractor for the federal cyber defense agency accidentally maintained a public GitHub repository that exposed highly privileged AWS GovCloud credentials and access tokens to numerous internal CISA systems.
Security experts discovered the public archive, appropriately titled “Private-CISA,” which contained a treasure trove of sensitive assets including plaintext passwords, cloud keys, logs, and internal blueprints detailing how the agency builds and deploys software. According to GitGuardian researcher Guillaume Valadon, who flagged the issue, the leak represents an egregious failure of basic security hygiene. The contractor’s commit logs even revealed they had explicitly disabled GitHub's default safety feature designed to block users from accidentally publishing secret cryptographic keys, News.Az reports, citing Krebson Security.
Among the exposed files was a document titled “importantAWStokens,” which granted administrative access to three Amazon AWS GovCloud servers, and a spreadsheet containing plaintext usernames and passwords for internal networks. This included credentials for "LZ-DSO," CISA's secure code development environment. Security analysts warned that the repository also exposed passwords to CISA’s internal software package manager, a prime target that hackers could exploit to inject backdoors into government software.
RECOMMENDED STORIES
The compromise appears to stem from a Nightwing contractor using the public GitHub repository as a personal scratchpad to sync files between a work laptop and a home computer since November 2025. Compounding the issue, the contractor relied on incredibly weak, easily guessed passwords for critical infrastructure, often using the platform's name followed by the current year.
While the GitHub account was quickly pulled offline after CISA was alerted, investigators noted that the exposed AWS keys shockingly remained active for another 48 hours. CISA, which has seen its workforce shrink by nearly a third following recent administrative budget cuts and forced retirements, stated that it is investigating the incident. The agency claims there is currently no indication that malicious actors compromised any sensitive data before the repository was secured.
By Aysel Mammadzada
Similar news
