Contractor’s Public GitHub Repo Exposes Privileged AWS GovCloud Credentials and CISA Internal Systems
What Happened — A contractor for the Cybersecurity & Infrastructure Security Agency (CISA) inadvertently kept a public GitHub repository that contained authentication keys and configuration files for multiple high‑privilege AWS GovCloud accounts and a wide array of internal CISA systems. The repository was discovered and taken down after security researchers highlighted the exposure.
Why It Matters for TPRM —
- Credential leakage from a federal agency creates a direct pathway for nation‑state or criminal actors to compromise downstream vendors and cloud services.
- The exposed build‑and‑deploy pipelines reveal internal processes that could be weaponized in supply‑chain attacks against CISA’s contractors and partners.
- Government‑level credential exposure raises compliance and contractual risk for any organization that relies on CISA‑mandated standards or shares data with the agency.
Who Is Affected — Federal government (GOV_PUBLIC), cloud service providers hosting GovCloud workloads, and any third‑party vendors integrated with CISA’s internal systems.
Recommended Actions —
- Immediately audit all third‑party contracts with CISA for privileged credential handling clauses.
- Verify that any shared AWS GovCloud accounts have been rotated and that MFA is enforced.
- Conduct a supply‑chain risk assessment to identify downstream services that may have been exposed through the leaked pipelines.
Technical Notes — The leak stemmed from a misconfiguration (public repository) that exposed AWS access keys, IAM role definitions, and internal CI/CD scripts. No specific CVE is associated, but the incident underscores the danger of unsecured code repositories. Source: Schneier on Security – CISA Security Leak