One of the most embarrassing government data leaks in recent history came to light this past weekend — a CISA contractor had been maintaining a public GitHub repository stuffed with credentials for highly privileged AWS GovCloud accounts and dozens of internal CISA systems.
The repo, called “Private-CISA,” was flagged by Guillaume Valadon, a researcher at GitGuardian. His company scans public code repositories for exposed secrets, and this one was bad. We’re talking plaintext passwords in CSV files, AWS administrative tokens, internal system credentials — the works. Valadon said he initially thought it was fake. “This is indeed the worst leak that I’ve witnessed in my career,” he wrote.
One exposed file titled “importantAWStokens” contained admin credentials for three AWS GovCloud servers. Another — “AWS-Workspace-Firewall-Passwords.csv” — listed plaintext usernames and passwords for internal CISA systems, including what appears to be the agency’s secure code development environment.
Philippe Caturegli, founder of security consultancy Seralys, tested the keys and confirmed they were still valid at a high privilege level. He noted the repo also exposed credentials to CISA’s internal code artifact repository — a goldmine for attackers looking to backdoor software builds.
The repo was created in November 2025 and appears to have been used as a personal sync tool between a work laptop and a home computer. Many of the passwords followed a predictable pattern: platform name plus the current year. The contractor had also disabled GitHub’s default secrets detection feature.
CISA says it’s investigating and that there’s “no indication that any sensitive data was compromised.” The repo has been taken offline, though the AWS keys inexplicably stayed valid for another 48 hours after the exposure was reported. The agency is already operating with a skeleton crew after losing nearly a third of its workforce since January.
