defense · KrebsOnSecurity
A contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to multiple highly privileged AWS GovCloud accounts and internal CISA systems. The repository, named "Private-CISA," contained plaintext passwords in CSV files, AWS administrative tokens, SSH keys, and access credentials to CISA's code artifact repository. Security researchers discovered the exposure on May 15, 2026; the repository was created in November 2025. The commit logs show the administrator disabled GitHub's default secrets-detection setting. CISA stated it found no evidence of data compromise, though exposed AWS keys remained valid for at least 48 hours after notification.
This incident underscores critical risks for organizations handling sensitive government or regulated data. Defense contractors managing Controlled Unclassified Information (CUI) should immediately audit their development environments, source-control practices, and credential management to prevent similar exposures. SaaS teams and healthcare organizations subject to SOC2 and HIPAA audits respectively must enforce secrets-scanning tools, disable credential storage in code repositories, and implement privileged access management (PAM) controls. The exposure of infrastructure-as-code and artifact repositories represents a lateral-movement vector that threatens supply-chain integrity—a concern heightened for CMMC Level 3 and NIST 800-171 compliance. An Omniware engagement can scope your development pipeline, credential hygiene, and automated detection tooling in detail.
Source: KrebsOnSecurity - https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/
Source: KrebsOnSecurity
All briefings