CISA Exposed AWS GovCloud Credentials in Public GitHub Repo — Cybersecurity And Infrastructure Security Agency
The cybersecurity and infrastructure security agency left digital keys to its own cloud storage accounts in plain text in a public GitHub repository named Private-CISA. The repository stayed open for about six months before the problem was fixed over the weekend.
Private-CISA and AWS GovCloud
One exposed file titled importantAWStokens included the administrative credentials to three Amazon AWS GovCloud servers. Another file, AWS-Workspace-Firefox-Passwords.csv, listed plaintext usernames and passwords for dozens of internal CISA systems.
CISA said, “Currently, there is no indication that any sensitive data was compromised as a result of this incident[…] While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”
Nightwing and LZ-DSO
An individual employee working for a government contractor called Nightwing was using Github to move material from a work device to a home device, according to one interpretation of the Krebs report. One of the systems named in the exposed file was LZ-DSO, which appears short for Landing Zone DevSecOps.
Trump, CISA, and funding
The breach lands inside a political history that already put CISA under pressure. Donald Trump signed CISA into law in 2018, later fired the CISA director he appointed after becoming enraged by information from CISA leadership between the 2020 election and January 6, 2021, and has recently sought to drastically cut CISA’s funding.
For agencies and contractors handling cloud credentials, the practical lesson is blunt: a public repository can turn internal passwords into a long-lived exposure if file handling goes wrong, even when the organization says no sensitive data was compromised. The remaining question is whether CISA’s added safeguards will be enough to stop another six-month gap from opening again.
