The media in this post is not displayed to visitors. To view it, please go to the original post.
New, by me: CISA Admin Leaked AWS GovCloud Keys on GitHub
Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.
krebsonsecurity.com/2026/05/ci…
CISA Admin Leaked AWS GovCloud Keys on Github
Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA …krebsonsecurity.com
Carlos Solís likes this.
reshared this
John Breen
in reply to BrianKrebs • • •Are you seriously telling me that somebody stored AWS govcloud secrets in a github repo ? In a file called "Important AWS Tokens" ? Do they not know who github is ? Is it intentional ?
Has that person been fired into the sun yet, along with whoever hired them ?
Gerard
in reply to John Breen • • •John Breen
in reply to Gerard • • •@GerardThornley I guess you have to store secrets somewhere, in your source or CI/CD pipeline playbook. I hope people are not checking in private keys, or the CEO's email password.
But govcloud IIRC is basically AWS but "secure for fedramp". Then using "github" for your source control is like the Manhattan Project keeping their notebooks in the local college library, but in a locked room.
Guillotine Jones, Flâneur
in reply to John Breen • • •Was the miscreant who stored high-security US government info on a github repo a Musk DOGE bro, by any chance?
Asking for the schadenfreude.
Sean Riley
in reply to John Breen • • •At some point its intentional. When you have that type of access it should be assumed it is.
BrianKrebs
in reply to BrianKrebs • • •It's possible this set of instructions by the CISA contractor might have caused all the trouble:
Viss
in reply to BrianKrebs • • •Viss
in reply to Viss • • •because i actually reached out to cisa in the past, asking how to work for them. they told me the only way to do it was unpaid, and condesendingly told me i should do it 'because i love my country'. many others were getting paid. so, needless to say, theres a little club, and im not in it.
but this guy was.
so i reeeeeally wanna know
skategoat 🐐 🇵🇸
in reply to Viss • • •Demiurg
in reply to BrianKrebs • • •Rihards Olups
in reply to BrianKrebs • • •BrianKrebs
in reply to Rihards Olups • • •TheTomas
in reply to BrianKrebs • • •Edvin Malinovskis
in reply to BrianKrebs • • •AA
in reply to BrianKrebs • • •How does CISA get to hire someone like that?
Websters: Hack (adjective): "working for hire especially with mediocre professional standards."
Legit_Spaghetti
in reply to BrianKrebs • • •The word "recent" is doing a lot of heavy lifting here. Like, this is a colossal fuckup, but we've had a lot of other colossal fuckups recently, so... y'know, context.
TheYOSH
in reply to BrianKrebs • • •We blame an AI agent for this....
What a fuck-up!!!
RTG-powered Vel
in reply to TheYOSH • • •@theyosh AI agents don't do this. stupidity does.
@briankrebs
Arik
in reply to BrianKrebs • • •GeneralX ⏳
in reply to BrianKrebs • • •The 'S' in CISA stands for secrets.
#gitguardian
Bernard Quatermass
in reply to BrianKrebs • • •Where Chuck once stood, only I will remain.
in reply to BrianKrebs • • •DB
in reply to Where Chuck once stood, only I will remain. • • •Jonathan Hendry
in reply to BrianKrebs • • •Viss
in reply to BrianKrebs • • •hufnagel 🏳️🌈 🐧🔆
in reply to BrianKrebs • • •Guillotine Jones, Flâneur
in reply to hufnagel 🏳️🌈 🐧🔆 • • •...They don't have anything to hide anymore.
Dan Kennedy
in reply to BrianKrebs • • •I shouldn't be laughing.
Workspace is misspelled.
Important tokens, as opposed to the unimportant ones.
`Da Elf
in reply to BrianKrebs • • •`Da Elf
in reply to `Da Elf • • •Ok ... my bad. I'm going back out for 1.5 Liters of tequila and some cyanide (for myself).
You gotta be KIDDING me!
LAHosken 🇺🇸👀
in reply to BrianKrebs • • •Addressing Risks from Chris Krebs and Government Censorship
Micah Stopperich (The White House)Kevin Ashworth
in reply to BrianKrebs • • •Lex
in reply to BrianKrebs • • •Cykonot
in reply to BrianKrebs • • •SomeVeganCheeseIsOk
in reply to BrianKrebs • • •Tirrimas 🚫👑
in reply to BrianKrebs • • •Felipe
in reply to BrianKrebs • • •@briankrebs
Krypt3ia
in reply to BrianKrebs • • •bbdd333
in reply to BrianKrebs • • •SpaceLifeForm
in reply to BrianKrebs • • •boombastic
in reply to BrianKrebs • • •xyhhx
in reply to BrianKrebs • • •Anthony David
in reply to BrianKrebs • • •Anthony David
in reply to BrianKrebs • • •Snake Oil Salesman
in reply to BrianKrebs • • •Henning Paul DC4HP
in reply to BrianKrebs • • •Pxl Phile
in reply to BrianKrebs • • •GrumpyDad 🇺🇦🇵🇸
in reply to BrianKrebs • • •Okuna
in reply to BrianKrebs • • •make something idiot proof and nature will create a better idiot
Scnr
Tormod
in reply to BrianKrebs • • •Tony Hoyle
in reply to BrianKrebs • • •"Currently, there is no indication that any sensitive data was compromised as a result of this incident,”
Looks pretty damned sensitive to me, unless you consider admin permissions on your network public information.
Ministerofimpediments
in reply to BrianKrebs • • •I’d like to append the top/original post with the following…
“…so far.”
Because this is highly unlikely to be the last or worst…just one that we now know about. Fairly sure there are plenty more that are either covered up or yet to be found in the open (…akin to a box of classified info left in a bathroom). Save some ire for the next four or five of them. I mean think of who got their fingers into most govt systems year one…you just know there’s more.
EamonnMR
in reply to BrianKrebs • • •> The [public] GitHub repository that Valadon flagged was named “Private-CISA,”
How bad could it be
> One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers.
Awesome
> Another file exposed in their public GitHub repository — “AWS-Workspace-Firefox-Passwords.csv”
Hell yeah
If they didn't validate the credentials I'd wonder if it was a honeypot.
MissConstrue
in reply to BrianKrebs • • •The Doctor
in reply to MissConstrue • • •MissConstrue
in reply to The Doctor • • •@drwho Ha! It’ll turn out the only reason the Russians, Chinese, Iranian, et al hackers don’t have the keys to the front door is because GitHub can’t maintain uptime.
Perhaps a tad wishful thinking on my part…