Published by Emerging Technologies Laboratory · via ETL Newswire
Security· 

CISA Postmortem Reveals Six-Month Exposure of AWS GovCloud Keys by Nightwing Contractor

The agency responsible for U.S. government cybersecurity published a lessons-learned report after a contractor's public GitHub repository sat open for nearly six months, leaking administrative cloud credentials and plaintext passwords.

By Renée Kovac, Correspondent · Security Desk

CISA released a postmortem this week on one of the more structurally damaging credential exposures in recent federal history: a contractor employed by Nightwing, a Dulles, Virginia-based government services firm, maintained a public GitHub repository named "Private CISA" from November 2025 through May 2026, leaking 844 MB of sensitive data that included administrative credentials to three AWS GovCloud accounts and plaintext usernames and passwords for dozens of internal CISA systems.

The exposure wasn't caught by CISA's own tooling. According to a report reviewed by KrebsOnSecurity, it was Guillaume Valadon of the security firm GitGuardian whose company continuously scans public code repositories for exposed secrets and who flagged the repository on May 14, 2026, after nine automated alerts failed to generate a response from the contractor's account. GitGuardian eventually asked KrebsOnSecurity for help in reaching CISA, which received notification on May 15.

The file inventory reads like a tabletop exercise gone wrong. One file titled "importantAWStokens" contained administrative login credentials to three AWS GovCloud servers. A second, "AWS-Workspace-Firefox-Passwords.csv," held plaintext usernames and passwords for dozens of internal systems. The repository also contained Kubernetes manifests, ArgoCD application files, Terraform code, GitHub Actions workflows, and internal deployment documentation, according to details reported by KrebsOnSecurity and corroborated by Axis Intelligence's technical breakdown.

Security consultant Philippe Caturegli of Seralys confirmed to KrebsOnSecurity that the exposed AWS credentials authenticated to those GovCloud accounts at a high privilege level. That matters because AWS GovCloud is an isolated region designed to host U.S. government sensitive workloads under FedRAMP High and DoD impact-level requirements. Standing administrative access to those environments is not contractor-grade exposure; it's the kind of access a serious adversary would pay for.

The postmortem itself is worth reading as an artifact. CISA acknowledged that its key rotation took more than 48 hours after the repository was taken offline, attributing the delay to "the complexities of the agency's systems and interconnections with federal and industry partners," according to the report reviewed by KrebsOnSecurity. The agency also admitted its incident-response channels weren't clearly defined, which forced Valadon to try multiple notification paths before CISA engaged. On the positive side, the agency said extensive logging and zero-trust controls helped assess the breach's scope, and that no customer or mission data was confirmed compromised.

That last statement is confidence-level low, not a finding. As the Axis Intelligence technical review notes, any unauthorized access during the 48-hour post-removal window where valid credentials still worked would be "identical in logs to routine administrative activity." With CISA operating at roughly 70 percent of its pre-2025 staffing after the Trump administration's workforce reductions, the forensic capacity to rule out access across three high-privilege cloud environments over a 183-day window is a serious question the postmortem doesn't answer.

The contractor was apparently using a personal GitHub account, created in September 2018, to sync files between a work laptop and a home computer, and had disabled GitHub's built-in secret-scanning protections to do it. That's a contractor governance failure, not a sophisticated intrusion. The GitGuardian 2026 State of Secrets Sprawl report adds context: 28.65 million new hardcoded secrets were added to public GitHub commits in 2025 alone, a 34 percent year-over-year increase. CISA's incident is a data point inside a much larger systemic problem with how government contractors handle long-lived static credentials.

CISA's own postmortem urges agencies to "maintain mature and well-tested key management capabilities" and to establish clear internal reporting channels for incidents affecting the agency itself. The Nightwing contractor lost system access. CISA says it's implementing additional safeguards. Neither the agency nor Nightwing has said publicly whether the investigation is closed.

Sources cited:
- Krebs on Security, CISA Admin Leaked AWS GovCloud Keys on GitHub (May 2026) (https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/)
- Krebs on Security, Lessons Learned from CISA's Recent GitHub Leak (July 14, 2026) (https://krebsonsecurity.com/2026/07/lessons-learned-from-cisas-recent-github-leak/)
- Axis Intelligence, CISA GitHub Data Leak 2026: Full Technical Breakdown (https://axis-intelligence.com/cisa-github-data-leak-full-technical-review/)
- Techzine, CISA leaked AWS GovCloud keys on GitHub for six months (https://www.techzine.eu/news/security/142869/cisa-leaked-aws-govcloud-keys-on-github-for-six-months/)
- eSecurity Planet, CISA GitHub Leak Exposes AWS GovCloud Secrets (https://www.esecurityplanet.com/threats/cisa-github-leak-exposes-aws-govcloud-secrets/)

Reporting by Renée Kovac, Correspondent, for the Security desk · ETL Newswire staff
Read more at the source

This release was originally distributed via ETL Newswire. Visit Krebs on Security, CISA Admin Leaked AWS GovCloud Keys on GitHub (May 2026) for the full story, related releases, and contact information.

Visit Krebs on Security, CISA Admin Leaked AWS GovCloud Keys on GitHub (May 2026) →