Full Report
Crazy story: Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history. News article.
Analysis Summary
# Incident Report: Exposure of Highly Privileged CISA Credentials on GitHub
## Executive Summary
A technical contractor for the Cybersecurity & Infrastructure Security Agency (CISA) inadvertently exposed highly privileged credentials and internal architectural documents via a public GitHub repository. The leak included AWS GovCloud access keys and detailed internal software deployment workflows, creating a significant risk of state-level exploitation. The repository was secured in May 2026 after being identified as one of the most severe government data leaks in recent history.
## Incident Details
- **Discovery Date:** Approximately May 16-17, 2026 (Weekend prior to May 22)
- **Incident Date:** Ongoing until mid-May 2026
- **Affected Organization:** Cybersecurity & Infrastructure Security Agency (CISA)
- **Sector:** Government / Public Sector
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown (Duration of the repository's public status)
- **Vector:** Intentional but negligent publishing of a public GitHub repository.
- **Details:** A CISA contractor maintained an archive that was accessible to the general public rather than restricted to internal organizational use.
### Lateral Movement
- **Potential:** While the report focuses on the leak, the exposed AWS GovCloud keys would allow an adversary to move from the public internet directly into CISA’s cloud infrastructure and internal build environments.
### Data Exfiltration/Impact
- **Data Exposed:** Highly privileged AWS GovCloud credentials, credentials for internal CISA systems, and CI/CD (Continuous Integration/Continuous Deployment) pipeline documentation detailing how CISA builds and tests software.
### Detection & Response
- **How it was discovered:** Identified by security researchers/experts (including reports by Krebs on Security and Gizmodo).
- **Response actions taken:** The GitHub repository was taken down/made private over the weekend of May 16-17, 2026.
## Attack Methodology
- **Initial Access:** Publicly accessible GitHub repository containing sensitive secrets.
- **Persistence:** Not applicable (leak scenario), but exposed keys could allow long-term persistence in CISA cloud environments.
- **Privilege Escalation:** Exposed credentials provided "highly privileged" access by default.
- **Defense Evasion:** Bypassing perimeter security by using legitimate, stolen cloud credentials.
- **Credential Access:** Plaintext AWS GovCloud keys and internal system passwords stored in code/config files.
- **Discovery:** Publicly indexed GitHub search.
- **Lateral Movement:** Capabilities to move from software build environments to production systems.
- **Collection:** Access to internal software source code and deployment manifests.
- **Exfiltration:** Potential for attackers to clones repositories and internal data.
- **Impact:** High risk of supply chain compromise and unauthorized access to federal cloud resources.
## Impact Assessment
- **Financial:** Undisclosed; involves significant remediation and auditing costs.
- **Data Breach:** Exposure of "keys to the kingdom" for GovCloud instances and internal system configurations.
- **Operational:** Potential disruption of software deployment pipelines while keys are rotated and systems are audited.
- **Reputational:** Significant; described as an "egregious" leak for an agency tasked with the nation's cybersecurity.
## Indicators of Compromise
- **Network indicators:** hxxps[://]github[.]com/[contractor_account_details_redacted]
- **File indicators:** `.aws/credentials` files, `.env` files, and CI/CD configuration files (e.g., YAML) in public repos.
- **Behavioral indicators:** Access to AWS GovCloud from non-standard IP ranges or at unusual times using the compromised credentials.
## Response Actions
- **Containment:** Removal of the public GitHub repository.
- **Eradication:** Revocation and rotation of all exposed AWS GovCloud keys and internal system credentials.
- **Recovery:** Full audit of AWS logs to determine if unauthorized access occurred while keys were public.
## Lessons Learned
- **Contractor Oversight:** Lack of oversight regarding how contractors manage sensitive agency code and configurations on third-party platforms.
- **Secret Management:** Hardcoding or storing credentials in repositories (even intended for internal use) remains a critical failure point.
- **Monitoring:** Lack of automated scanning for government-related secrets on public code hosting sites.
## Recommendations
- **Automated Secret Scanning:** Implement tools (e.g., GitHub Advanced Security, TruffleHog) to prevent and detect secrets before they are pushed to any repository.
- **Mandatory Use of Secret Managers:** Require all contractors to use AWS Secrets Manager or HashiCorp Vault instead of configuration files.
- **Strict Repository Policies:** Enforce an "Internal-Only" policy for all contractor code and conduct regular audits of public profiles of agency personnel and contractors.
- **Principle of Least Privilege:** Ensure that even if keys are leaked, they do not possess "highly privileged" access across the entire GovCloud environment.