defense · KrebsOnSecurity
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a postmortem on a data leak in which a contractor exposed internal credentials—including AWS GovCloud administrative keys and plaintext passwords for dozens of internal systems—in a public GitHub repository called "Private CISA" containing 844 MB of sensitive data. The repository remained public for approximately six months before CISA was notified on May 15, 2026. CISA acknowledged the initial alert but took more than 48 hours to invalidate the exposed AWS keys and other secrets. The agency's postmortem noted that system complexity and federal-industry interconnections complicated key rotation timelines, and that incident response channels were not well-defined, causing external researchers to pursue multiple notification avenues before reaching the right team.
For Omniware's clients, this incident underscores critical gaps in secrets management and incident response workflows. Defense contractors handling CUI and SaaS teams in SOC 2 observation should implement continuous scanning of public repositories for exposed credentials rather than relying on periodic checks—plaintext password storage and unrotated keys represent fundamental control failures across CMMC, SOC 2, and NIST 800-171 frameworks. Organizations must also establish clear, accessible reporting channels specifically for infrastructure incidents (separate from product vulnerability reports) and ensure external researchers can alert your security team without friction. An Omniware engagement can scope your current secrets-detection capabilities, incident response playbooks, and researcher communication channels to identify similar blind spots.
Source: KrebsOnSecurity - https://krebsonsecurity.com/2026/07/lessons-learned-from-cisas-recent-github-leak/
Source: KrebsOnSecurity
All briefings