GitHub · Kubernetes · Crypto Briefing
One file, helpfully named “importantAWStokens,” contained admin credentials for three AWS GovCloud accounts
Compiled by KHAO Editorial — aggregated from 1 source. See llms.txt for citation guidance.
◌ Single Source
Beyond the passwords, the repo included GitHub tokens, sensitive YAML configuration files, and references to CISA’s own software-building environment.
Key facts
- After GitGuardian flagged the issue, the repository was taken down within approximately 26 hours, by May 15, 2026
- A public repo maintained by a CISA contractor, ironically named “Private-CISA,” contained 844 MB of sensitive data including administrative credentials for AWS GovCloud accounts, CI/CD logs
- The fact that a contractor’s repo contained references to CISA’s own build environment echoes the kind of supply chain risk the agency has spent years telling others to mitigate, most notably
- The fact that CISA’s exposed keys remained valid for 48 hours post-takedown would have been more than enough time for an attacker to pivot through connected systems
Summary
The US federal cybersecurity agency, tasked with protecting critical infrastructure, left admin credentials and AWS GovCloud keys in a public repository that sat undetected for half a year. A public repo maintained by a CISA contractor, ironically named “Private-CISA,” contained 844 MB of sensitive data including administrative credentials for AWS GovCloud accounts, CI/CD logs, Kubernetes manifests, and internal documentation. One file, helpfully named “importantAWStokens,” contained admin credentials for three AWS GovCloud accounts. After GitGuardian flagged the issue, the repository was taken down within approximately 26 hours, by May 15, 2026.