How did a CISA contractor accidentally leak GovCloud keys on GitHub?

Why was the Private-CISA GitHub repository left public for six months?

Discover why the “Private-CISA” leak wasn’t just a mistake, but a “mixed-identity” workflow flaw that bypassed federal security and exposed 844MB of data.

Key Takeaways

What: A CISA contractor leaked 844MB of sensitive GovCloud credentials and internal passwords via a public GitHub repository.
Why: Personal “synchronization” workflows and intentionally disabled security scanning bypassed federal perimeters.
How: Remediation requires moving to short-lived identity-based access and enforcing strict identity boundaries for developers.

When researcher Guillaume Valadon first saw the GitHub repository named “Private-CISA,” he initially thought it was a hoax. The directory names were so explicit—”All Backups/,” “ENTRA ID – SAML Certificates/,” and “AWS-Workspace-Firefox-Passwords.csv”—that they seemed like a trap for researchers. Unfortunately, the 844 MB of data was real, belonging to the agency tasked with being America’s cyber-shield.

The “Mixed-Identity” Workflow: Bypassing Federal Perimeters

The most striking part of this breach was how the mistake was built into a daily routine. While most assume data leaks occur through complex malware, this was the result of a mundane synchronization loophole.

The repository was maintained by a contractor for Nightwing who used a personal GitHub account as a “working scratchpad”. By mixing a CISA-issued contractor email with a personal Yahoo account in the same Git history, the developer created a bridge between a highly secured federal environment and an unmonitored personal cloud. This “mixed-identity pattern” pulls production secrets out of the enterprise perimeter and into a space where oversight is non-existent.

The Security Bypass Insight

Standard logic suggests automated tools like GitHub’s secret scanning are a “set it and forget it” safety net. In this case, the automated tools worked—they blocked the developer from pushing secrets. However, instead of removing the credentials, the developer viewed the tool as a hurdle. The repository contained explicit instructions on how to disable secret-scanning controls so the commits could go through. The very tool meant to protect CISA became the reason the developer documented a way to break security policy.

Technical Autopsy: 844 MB of Exposed Infrastructure

The leak provided a literal blueprint of CISA’s internal cloud. Among the files were administrative credentials for three AWS GovCloud environments and plaintext passwords for internal CISA systems.

The leak also exposed tokens for JFrog Artifactory, the internal repository where CISA stores its software builds. If a bad actor had found these first, they could have tampered with software CISA sends to other agencies, potentially poisoning the federal supply chain.

The 48-Hour Revocation Gap

There is a common assumption that once a repository is deleted, the danger ends. This incident proved otherwise. Although the repository was taken down within a day of the researchers’ alerts, some high-privilege AWS GovCloud keys remained active for another 48 hours. In a real attack, those extra two days allow intruders to create “backdoor” accounts that remain active long after the original keys are revoked.

Institutional Context: Budgetary and Leadership Voids

This leak occurred during a period of instability for CISA. The agency has been without a permanent director since early 2025 and has lost roughly a third of its workforce to resignations and budget cuts. Legislators, including Rep. Bennie Thompson and Sen. Maggie Hassan, have demanded briefings to understand if these cuts created the “perfect storm” of low morale and poor oversight that allowed a contractor to operate a public repository for six months unnoticed.

Remediation: Hardening Developer Environments

Fixing this requires a fundamental shift in identity management:

• Kill Static Credentials: Moving to short-lived, identity-based access would have made leaked AWS keys useless within minutes.
• Enforce Identity Boundaries: Organizations must prevent “mixed-identity” workflows by ensuring work-related code can only be pushed from managed devices.
• Monitor for Bypasses: Security teams need alerts whenever a developer intentionally disables a security control to bypass push protection.

While CISA states there is no evidence the data was misused, this serves as a reminder that security agencies are only as strong as their most rushed contractor.