Lawmakers Press CISA Over Contractor's Public GitHub Leak of AWS GovCloud Keys

Context: On May 18, KrebsOnSecurity reported that a contractor with admin rights to CISA’s development platform created a public profile named "Private-CISA." The repo contained plaintext credentials for dozens of internal systems, including AWS GovCloud access keys, SSH keys, and API tokens for internal monitoring tools. Investigation showed the user disabled GitHub’s built-in secret-scan protection and used the repository as a working scratchpad dating back to November 2025. GitGuardian first alerted CISA to the exposure on May 11, and the agency began invalidating keys after the public disclosure.

Key Facts: Sen. Maggie Hassan (D-NH) wrote to CISA’s acting director that the leak raises serious questions about the agency’s internal policies amid heightened threats to U.S. critical infrastructure. Dylan Ayrey, creator of TruffleHog, warned that an RSA private key left in the repo grants full access to CISA-IT’s GitHub organization, enabling an attacker to read private repositories, register rogue self-hosted runners to hijack CI/CD pipelines, and modify branch protection rules, webhooks, and deploy keys. As of May 20, CISA had rotated the RSA key but had not yet replaced other leaked credentials tied to critical security technologies, according to Ayrey. The agency stated it is coordinating with vendors to render all exposed secrets invalid.

What It Means: The leak illustrates how a single credential exposure can lead to broad repository and pipeline compromise (MITRE ATT&CK T1078 – Valid Accounts, T1552.001 – Credentials In Files). AWS GovCloud keys, if used, could allow adversaries to provision resources, access stored data, or move laterally within federal cloud environments (T1078.004 – Cloud Accounts). Defenders should rotate any keys found in public repos immediately, enable GitHub Advanced Security secret scanning with push protection, enforce required signed commits, and lock down branch protections. Organizations must audit service-account permissions, eliminate long-lived tokens, and monitor for anomalous GitHub API calls indicative of token abuse. Automating secret detection and remediation in CI/CD reduces the window of exposure. CISA’s ongoing credential rotation underscores the need for centralized secret-management policies for contractors. Watch for upcoming congressional hearings, any formal CISA after-action report, and updated guidance on contractor credential hygiene and secret-scanning mandates.