The US cyber agency said on July 9 it took down a GitHub repository belonging to a contractor that leaked sensitive cloud credentials.
The internal incident response action started on May 15, with CISA removing an exposed repository that contained CISA Amazon Web Services GovCloud keys and other data that were publicly accessible.
“Within moments of receiving this information, CISA’s Office of the Chief Information Officer took swift and comprehensive action to mitigate any exposure to CISA’s cloud resources and code repositories,” CISA said.
CISA learned of the exposed repository after being notified by independent security journalist Brian Krebs and pen-testing firm Seralys, who disclosed the GitHub account was used by an employee at a Virginia-based company called Nightwing.
The exposed files included “importantAWStokens,” which contained administrative credentials to three Amazon AWS GovCloud servers, as well as another file titled “AWS-Workspace-Firefox-Passwords.csv,” that contained plaintext usernames and passwords for CISA’s internal system, Krebs reported.
Seralys’ founder Philippe Caturegli told Krebs the exposed credentials were high-privileged, and that threat actors could have used them to authenticate the AWS GovCloud accounts. This would have allowed hackers access to CISA’s internal code system and maintain persistent access.
CISA revoked access for the contractor, who had used the repository to create cloud infrastructure autonomously.
CISA added that no customer or mission-critical data was exposed and that the credentials have not been used outside of CISA’s build environment by any unknown entities. The agency also took further preventive measures such as limiting users’ ability to upload to code repositories.
“CISA strategically identified further logging opportunities while conducting the incident response and has since implemented those additions to enhance visibility,” the agency said.
Personnel Change At CISA Worries Some In The Industry
The development comes in the wake of continued disruption at the agency under the second Trump administration, which has significantly reduced CISA’s funding and workforce. The departure of former CISA Director, Jen Easterly, in January 2025, as well as other high-profile leaders, have prompted concerns about the agency’s ability to conduct its operations coherently.
The latest data leak has added to the ongoing concerns. Lawmakers had already written to Acting Director Nick Andersen in May, before CISA’s public statement, seeking further clarification on the leak.
“We worry that a substantially reduced workforce, coupled with the Administration’s indifference to security, created the conditions that allowed such a significant security lapse to occur. Moreover, we are concerned that the incident undermines CISA’s credibility,” the lawmakers wrote.
The lawmakers further sought assurances from Andersen that his organization will take the latest incident “seriously” and it will fully evaluate the “security consequences of this lapse to prevent anything like it from happening again.”