CISA Admin Leaked AWS GovCloud Keys on Github

What’s new: A contractor for the Cybersecurity & Infrastructure Security Agency (CISA) publicly exposed AWS GovCloud credentials and internal CISA system details on GitHub. The repository, named “Private-CISA,” contained sensitive information including plaintext passwords, AWS keys, and internal operational files. The repository was created on November 13, 2025, and was taken offline shortly after being reported. However, the exposed AWS keys remained valid for an additional 48 hours.

Who’s affected

The incident affects CISA and its internal systems, as well as potentially compromising AWS GovCloud accounts associated with the agency. The exposure of sensitive credentials poses a risk to the security of CISA’s operations and could allow unauthorized access to critical systems.

What to do

• Review and rotate any exposed AWS keys and credentials associated with CISA systems.
• Implement stricter access controls and monitoring for sensitive repositories.
• Educate staff on secure coding practices, including the importance of not storing credentials in public repositories.
• Conduct a security audit of internal systems to identify and mitigate any potential vulnerabilities stemming from this incident.

Sources

• Krebs on Security