How to Stop Leaking AWS Keys to GitHub (And What to Do When You Already Did)

The 2 AM Phone Call Nobody Wants

Last year I got pulled into an incident at a previous gig. A junior engineer had pushed a .env file to a public repo. Within 11 minutes, automated scanners had grabbed the AWS access keys and started spinning up GPU instances for crypto mining. By the time we rotated credentials, the bill was already four figures.

This stuff happens constantly. The recent news cycle around government cloud keys ending up in public GitHub repos isn't unique — it's just the latest reminder that credential leaks remain one of the most boring, preventable, and absolutely catastrophic failures in our industry.

Let's talk about why this keeps happening, how to fix it when it does, and how to make it nearly impossible to happen on your team.

Why Smart People Leak Credentials

How to Stop Leaking AWS Keys to GitHub (And What to Do When You Already Did)

Other newsrooms on this story

Related reading

How We Got a CISA GitHub Leak Taken Down in Under a Day

America's top cyber-defense agency left a GitHub repo open with passwords,…

America's top cyber-defense agency left a GitHub repo open with with passwords,…

GitHub Breach via VSCode Extension, ZTE Router CVE-2026-34472, & Public Repo…

Grafana’s GitHub Token Incident: 5 Steps DevOps Teams Can Take to Recover Faster

Security researcher exploits GitHub gotcha, gets admin access to all Istio…