CISA Contractor Exposed AWS GovCloud Admin Credentials on Public GitHub

A contractor employed by Nightwing, the Dulles-based government services firm spun out of Raytheon, maintained a public GitHub repository named “Private-CISA” that exposed admin credentials to three AWS GovCloud accounts, dozens of internal CISA system credentials in plaintext CSV form, and detailed documentation of CISA’s internal software development lifecycle including artifactory access. The repository was discovered May 15 by Guillaume Valadon, a researcher at GitGuardian.

The exposure has been described by several security researchers as among the most egregious government data leaks in recent years. The artifactory access in particular raised supply-chain concerns: with the credentials shown in the repository, an attacker would have had the ability to alter packages distributed within CISA’s internal build pipelines, a vector that would be difficult to detect from the consumer side and could persist across multiple deployments.

CISA, in a statement issued late Monday, said the agency had found no indication that sensitive data was actually compromised. The AWS keys involved, however, remained valid for approximately 48 hours after the GitHub account hosting the repository was taken offline — a window that, in the language of incident response, is long enough to matter. The agency has not detailed what compensating controls existed during that window or how the residual exposure was rotated and audited.

The political context is uncomfortable. CISA has lost roughly a third of its workforce since the start of 2025 through a combination of voluntary departures and reductions in force. The agency’s mandate has been reframed away from broad infrastructure-wide coordination and toward narrower election-security and federal-agency support roles. The contractor relationship that produced the leak is one of many that the reduced internal workforce has been leaning on more heavily.

For private-sector security leaders, the operational takeaway is direct. Third-party access to production credentials, even at organizations that should be among the best-prepared in the world, is leaking through personal-device and personal-account vectors at a rate that defies the assumption that paid managed-security services are sufficient compensating controls. The mature posture is to assume that any credential issued to a contractor will eventually appear in a public repository, and to architect detection, rotation, and blast-radius limitation around that assumption.

Congressional reaction has been fast. Members of both parties on the House Homeland Security Committee have demanded a closed-door briefing on the incident within the week.