HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

CISA Contractor Publishes AWS GovCloud Keys on Public GitHub, Exposing Federal Systems

A CISA contractor deliberately posted AWS GovCloud credentials and other internal secrets to a public GitHub repository, prompting congressional inquiries and a rapid response to invalidate the keys. The breach highlights third‑party credential‑management risks for federal agencies and their cloud partners.

LiveThreat™ Intelligence · 📅 May 22, 2026· 📰 krebsonsecurity.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
krebsonsecurity.com

CISA Contractor Publishes AWS GovCloud Keys on Public GitHub, Exposing Federal Systems

What Happened — A CISA‑contractor with administrative rights created a public GitHub repository (“Private‑CISA”) that contained plaintext AWS GovCloud credentials and dozens of other internal secrets. The contractor deliberately disabled GitHub’s secret‑scanning protection, allowing the data to be publicly accessible. CISA is working to invalidate the leaked keys and assess the exposure.

Why It Matters for TPRM

  • Credential leaks in a federal agency highlight the risk of third‑party contractors mishandling privileged access.
  • Exposure of cloud‑infrastructure keys can enable adversaries to pivot into critical government networks.
  • The incident underscores the need for continuous monitoring of contractor activities and strict secret‑management policies.

Who Is Affected — Federal government (critical infrastructure), cloud service providers (AWS GovCloud), any downstream vendors or partners relying on CISA‑managed services.

Recommended Actions

  • Review all third‑party contracts for privileged‑access controls and audit logs.
  • Verify that any shared cloud credentials have been rotated and that secret‑scanning tools are enforced.
  • Incorporate contractor‑access monitoring into your TPRM program and demand evidence of secure development practices.

Technical Notes — The leak stemmed from intentional disabling of GitHub’s built‑in secret‑detection feature, exposing plaintext AWS access keys, API tokens, and internal system passwords. No public exploit of the keys has been reported yet, but the potential for misuse is high. Source: Krebs on Security

📰 Original Source
https://krebsonsecurity.com/2026/05/lawmakers-demand-answers-as-cisa-tries-to-contain-data-leak/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →