CISA CONTRACTOR LEAKED AWS GOVCLOUD KEYS ON GITHUB

A public GitHub repository maintained by a Cybersecurity & Infrastructure Security Agency (CISA) contractor contained highly privileged AWS GovCloud account credentials and access details to numerous internal CISA systems. The exposed archive included sensitive files documenting CISA's internal software build, test, and deployment processes. Security researchers identified the repository as containing some of the most critical infrastructure credentials available to a U.S. government agency. The leaked GovCloud accounts provide access to government-only AWS infrastructure used for classified and sensitive operations. Credentials for multiple privileged accounts remained publicly accessible until the repository was discovered and removed this past weekend. Beyond the cloud credentials, the repository exposed architectural documentation and operational procedures for CISA systems. This combination of credentials and technical details gave potential attackers both access and a roadmap to exploit government infrastructure. CISA, the federal agency responsible for cybersecurity and infrastructure protection, has not yet released a public statement about the incident or its scope. The agency typically handles credential compromise by immediately revoking exposed keys and auditing access logs for unauthorized activity. The leak raises questions about security practices within government contracting relationships and code repository management. Standard practices recommend scanning repositories for credentials before uploading, using separate development and production keys, and restricting repository access. This incident ranks among the most significant government data exposures in recent years. Previous notable leaks include exposure of military communications and federal employee information, though direct access to privileged cloud infrastructure represents an unusual level of operational risk. No indication of unauthorized access has been confirmed. CISA declined to comment on whether any malicious activity occurred during the window the credentials were public.