CISA exposed plaintext passwords and cloud keys on GitHub for six months

A public repo maintained by a CISA contractor, ironically named “Private-CISA,” contained 844 MB of sensitive data including administrative credentials for AWS GovCloud accounts, CI/CD logs, Kubernetes manifests, and internal documentation. The repository was created on November 13, 2025, and sat in the open for roughly six months before secrets-detection firm GitGuardian discovered it on May 14, 2026.

What was actually exposed

One file, helpfully named “importantAWStokens,” contained admin credentials for three AWS GovCloud accounts. Another exposed plaintext credentials for internal systems.

Beyond the passwords, the repo included GitHub tokens, sensitive YAML configuration files, and references to CISA’s own software-building environment. That last detail is particularly concerning because it suggests the exposure touched the agency’s internal software supply chain.

After GitGuardian flagged the issue, the repository was taken down within approximately 26 hours, by May 15, 2026. Some of the exposed AWS keys remained valid for an additional 48 hours after the repo was deactivated.