For roughly six months, a public GitHub repo named “Private-CISA” held live AWS GovCloud admin keys for three accounts, plaintext passwords, artifactory credentials, and access to the LZ-DSO DevSecOps environment. The repo’s maintainer, a Nightwing contractor, had deliberately disabled GitHub’s secret-scanning protection. The credentials were valid from November 13, 2025 until mid-May 2026, when a GitGuardian researcher flagged the repo after automated alerts went unanswered.
The password convention was [platform name][current year]. This is the credential hygiene of a personal sticky note, applied to infrastructure that handles classified-adjacent federal workloads.
How the disclosure unfolded
GitGuardian’s Guillaume Valadon identified the repo on May 15, 2026. CISA was notified. The repo went offline, but the exposed AWS GovCloud keys remained valid for another 48 hours. A week after initial notification, TruffleHog creator Dylan Ayrey found an RSA private key still active, granting full access to the CISA-IT GitHub organization: all repositories, CI/CD pipelines, and branch protection rules.
That is a supply-chain chokepoint sitting open for seven days after the agency knew it had a problem.
KrebsOnSecurity published its investigation on May 18. By May 19, both Sen. Maggie Hassan (D-NH) and Rep. Bennie Thompson (D-MS) had sent letters to CISA Acting Director Nick Andersen. Thompson’s letter warned the exposed files “provided the information, access, and roadmap” for adversaries like China, Russia, and Iran to gain persistence on federal networks.
CISA’s official response: “Currently, there is no indication that any sensitive data was compromised as a result of this incident.” The repo was public for approximately six months. “No indication” is doing a lot of work in that sentence.
What the credentials exposed
Philippe Caturegli of Seralys validated that the exposed credentials authenticated to three AWS GovCloud accounts at high privilege. The most dangerous vector he identified was the artifactory: a compromised package repository could inject backdoors into every new CISA software deployment. This is not a hypothetical. A poisoned internal package feed is the standard entry point for software supply-chain compromise, and the repo handed over the keys to that feed in plaintext.
The repo also contained a CSV of plaintext passwords and credentials for the LZ-DSO DevSecOps environment, the landing zone that governs how CISA’s cloud accounts are provisioned and secured.
The GovCloud assumption gap
AWS GovCloud is a partition physically and logically separated from commercial AWS, designed to handle sensitive U.S. government workloads subject to FedRAMP, ITAR, and other compliance regimes. That separation is real. It is also irrelevant when an administrator commits valid GovCloud credentials to a public repository on commercial GitHub.
The architectural boundary between GovCloud and commercial AWS prevents certain classes of cross-tenant access. It does not prevent a human with valid credentials from exfiltrating data through those credentials, regardless of where the credentials were leaked. GovCloud’s perimeter model assumes the credential holder is authorized. When the credential holder has published those credentials to the open internet, the perimeter is moot.
For agencies that treat GovCloud’s separation as a compensating control for credential hygiene, this incident is a concrete refutation. The credential management problem is identical to commercial AWS. The blast radius of exposed GovCloud keys is larger, because the data behind them carries higher classification weight.
Congressional pressure amid a staffing crisis
The Hassan and Thompson letters arrived as CISA is operating with roughly one-third fewer staff than it had in January 2025, dropping from approximately 3,400 to 2,400 personnel through forced retirements, buyouts, and resignations. Its operational budget faces a proposed reduction of over $420 million, with cuts targeting cybersecurity operations, training, and the National Risk Management Center.
An agency responsible for federal civilian cybersecurity is being asked to do more with less at the precise moment a contractor exposed its infrastructure credentials to the internet for half a year.
What FedRAMP boundary monitoring covers and where the gaps are
FedRAMP authorization requires cloud service providers to implement continuous monitoring, including log analysis, vulnerability scanning, and incident response. What it does not require, and what this incident reveals as a structural gap, is any mechanism to detect when credentials that authenticate to the boundary are exposed outside the boundary.
The detection chain that failed here had three links:
- GitHub secret scanning: Disabled by the contractor. Individual users can turn it off. There is no organization-level enforcement that prevents a contributor from disabling push protection on their own repository.
- AWS-side credential monitoring: GovCloud did not flag that valid, high-privilege access keys appeared in a public code repository. AWS offers managed rotation and detection through services like AWS Secrets Manager, but these are opt-in. The exposed keys were static, long-lived credentials with no rotation policy.
- CISA’s internal credential rotation: Keys remained valid for 48 hours after the repo was taken down. The RSA key was valid for at least a week. No automated rotation triggered on notification.
Takeaways
For any agency or organization relying on GitHub secret scanning plus cloud-side detection as a two-layer net:
- Detection can be disabled by a single contributor. Organization-level policies that enforce push protection and secret scanning on all repositories, including contractor-maintained ones, are necessary. Opt-in is not a control.
- Static, long-lived credentials are a liability regardless of the cloud partition. GovCloud’s separation from commercial AWS does not mitigate credential exposure. Short-lived tokens with automated rotation, scoped to the minimum required permissions, reduce the window of exploitation from months to minutes.
- FedRAMP boundary monitoring is inbound-focused. It watches what enters the boundary. It does not watch for boundary credentials appearing outside it. Agencies that rely solely on FedRAMP compliance as evidence of credential security are missing an entire detection surface.
- Contractor access is perimeter access. A Nightwing contractor had admin-level GovCloud keys and the ability to disable security scanning on a repository containing those keys. The blast radius of that access was not contained by any organizational control between CISA and the contractor’s personal GitHub account.
The repo is down. The credentials, eventually, were rotated. The structural gap remains.
Frequently Asked Questions
What AWS-native controls could have limited the blast radius after the keys were exposed?
AWS Organizations Service Control Policies (SCPs) can restrict the actions any IAM principal can perform, even with admin-level keys. If CISA’s GovCloud accounts had scoped SCPs blocking cross-region data exfiltration or IAM user creation from unfamiliar regions, a compromised key’s utility would be narrower. AWS IAM Access Analyzer and GuardDuty can flag anomalous API patterns, but neither was apparently configured to alert on credential use from IPs outside CISA’s expected network ranges.
How does this compare to the Storm-0558 Microsoft signing key theft?
Storm-0558 (2023) gave Chinese state actors access to 25+ federal agencies’ email through a stolen Azure signing key recovered from a crash dump. The CISA leak is a different class of failure: direct admin credentials to cloud infrastructure rather than a forged authentication token. The Storm-0558 key was active for roughly 6 weeks before detection. The Private-CISA repo sat open for 6 months. Both share a root cause of static, long-lived secrets with no automated rotation triggering on exposure.
Does FedRAMP distinguish between contractor and direct-employee access to cloud credentials?
No. FedRAMP authorization applies to the cloud service provider’s control implementation, not the agency’s internal personnel governance. Whether an admin key is held by a GS-15 federal employee or a Nightwing contractor, the FedRAMP boundary treats them identically. The governance gap is on the agency side: contractors often operate under different IT management policies, use personal developer tooling (such as a personal GitHub account rather than an organizational one), and may not be subject to the same endpoint-security requirements as direct federal staff.
Could an adversary have used the exposed credentials without triggering detection?
Yes. AWS GovCloud logs API calls through CloudTrail, but an adversary operating from a US-based IP, making read-only enumeration calls during business hours, and avoiding privilege-escalation actions would likely blend into normal administrative traffic. The credential was valid for 6 months, giving ample time for patient reconnaissance. CISA’s ‘no indication of compromise’ statement most likely reflects the absence of GuardDuty anomaly alerts, not a forensic audit of all API activity during the full exposure window.