Executive Summary
In May 2026, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) inadvertently exposed highly sensitive credentials by maintaining a public GitHub repository named "Private-CISA." This repository contained administrative credentials for three AWS GovCloud accounts, plaintext passwords for numerous internal CISA systems, and detailed internal documentation on software development processes. The exposure persisted for approximately six months before being discovered by a security researcher from GitGuardian, who alerted CISA. The repository was subsequently taken offline, and an investigation was initiated to assess potential impacts.
This incident underscores the critical importance of stringent security practices in managing sensitive information, especially within organizations tasked with national cybersecurity. It highlights the risks associated with improper handling of credentials and the necessity for robust oversight and compliance measures to prevent similar exposures in the future.
Why This Matters Now
The exposure of sensitive credentials by a national cybersecurity agency contractor highlights the urgent need for organizations to enforce strict security protocols and oversight, especially when handling critical infrastructure. This incident serves as a stark reminder of the potential risks and underscores the importance of continuous monitoring and compliance to safeguard against similar vulnerabilities.
Attack Path Analysis
An attacker discovered and exploited publicly exposed AWS GovCloud credentials from a CISA contractor's GitHub repository, gaining initial access. They escalated privileges by utilizing these credentials to access sensitive internal systems. The attacker moved laterally within CISA's network, accessing various internal resources. They established command and control channels to maintain persistent access. Sensitive data was exfiltrated from internal systems. The attack resulted in significant data exposure and potential compromise of critical infrastructure.
Kill Chain Progression
Initial Compromise
Description
An attacker discovered and exploited publicly exposed AWS GovCloud credentials from a CISA contractor's GitHub repository, gaining initial access.
MITRE ATT&CK® Techniques
Unsecured Credentials: Credentials In Files
Credentials from Password Stores: Cloud Secrets Management Stores
Search Open Websites/Domains: Code Repositories
Account Manipulation: Additional Cloud Credentials
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Limit access to system components and cardholder data to only those individuals whose job requires such access.
Control ID: 7.1.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Management
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
CISA contractor's exposed AWS GovCloud credentials and internal system passwords create catastrophic risks for federal cybersecurity infrastructure and operations.
Computer/Network Security
Cloud misconfiguration exposing security agency credentials undermines industry credibility and demonstrates critical gaps in zero trust implementation practices.
Information Technology/IT
Exposed AWS tokens and plaintext passwords highlight severe cloud security hygiene failures requiring enhanced egress controls and anomaly detection.
Defense/Space
Government contractor security breach exposes defense-related systems to potential backdoor implantation and lateral movement through compromised software repositories.
Sources
- CISA Admin Leaked AWS GovCloud Keys on Githubhttps://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/Verified
- US cyber agency CISA exposed reams of passwords and cloud keys to the open webhttps://techcrunch.com/2026/05/19/us-cyber-agency-cisa-exposed-reams-of-passwords-and-cloud-keys-to-the-open-web/Verified
- CISA exposed plaintext passwords and cloud keys on GitHub for six monthshttps://cryptobriefing.com/cisa-exposed-passwords-github/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent the initial credential exposure, it could limit the attacker's ability to leverage these credentials to access sensitive internal systems.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by enforcing strict access controls and segmentation policies.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely constrain the attacker's lateral movement by enforcing strict segmentation and monitoring internal traffic.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and limit unauthorized command and control channels by providing comprehensive monitoring and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit data exfiltration by enforcing strict egress policies and monitoring outbound traffic.
Aviatrix Zero Trust CNSF could likely reduce the overall impact of the attack by limiting the attacker's ability to access and exfiltrate sensitive data.
Impact at a Glance
Affected Business Functions
- Internal Software Development
- Cloud Infrastructure Management
- Access Control Systems
Estimated downtime: N/A
Estimated loss: N/A
Administrative credentials for AWS GovCloud accounts and internal CISA systems, including plaintext passwords and cloud keys.
Recommended Actions
Key Takeaways & Next Steps
- • Implement strict access controls and regularly audit repositories to prevent exposure of sensitive credentials.
- • Enforce the use of dynamic, short-lived credentials and eliminate static secrets to reduce the risk of credential compromise.
- • Deploy Zero Trust Segmentation to limit lateral movement within the network and enforce least privilege access.
- • Utilize Multicloud Visibility & Control solutions to monitor and manage security policies across cloud environments.
- • Establish comprehensive logging and monitoring to detect and respond to unauthorized access and data exfiltration attempts.
