When a public GitHub repository listed importantAWStokens that granted admin access to three Amazon AWS GovCloud servers, the whole incident turned into a stark government cloud breach. That’s the headline that landed on our desks on June 5, 2026, after Krebs on Security broke the story. The repo, named Private‑CISA, belonged to a contractor for the Cybersecurity & Infrastructure Security Agency and was openly exposing not just cloud keys but dozens of plaintext passwords for internal CISA systems.
Key Takeaways
- Public GitHub repo Private‑CISA leaked AWS GovCloud admin keys and internal passwords.
- Contractor disabled GitHub’s secret‑detection feature, allowing secrets to be committed.
- Security researcher Guillaume Valadon flagged the repo after the owner stopped responding.
- Philippe Caturegli confirmed the keys were still valid and could access sensitive agency environments.
- The leak highlights risky practices like storing passwords in CSV files and backups in Git.
Historical Context: How the Mistake Slipped Through
GitHub’s secret‑scanning tool has been part of the platform’s default security posture for several years. It watches every push for patterns that resemble keys, tokens, or passwords and alerts repository owners when something suspicious lands in the code base. The feature is intended to be a safety net for developers who might accidentally commit credentials. In the case of Private‑CISA, the safety net was deliberately turned off, which removed the only automated barrier that could have caught the AWS tokens before they went public.
Disabling secret scanning is not a common practice among large organizations. When it does happen, it is usually accompanied by a compensating control—such as an internal scanner or a manual review process. The emails from Guillaume Valadon show that no such fallback existed. The contractor’s decision to treat the repository as a private workspace, despite its public visibility, created a blind spot that persisted for weeks.
Another piece of the puzzle is the use of CSV files for password storage. CSV is a convenient format for spreadsheets, but it offers no encryption, no access control, and no audit trail. When developers keep these files in a version‑control system, every clone of the repo becomes a copy of the passwords. The AWS‑Workspace‑Firefox‑Passwords.csv file in the repo is a textbook example of why the industry has moved toward secret managers and encrypted vaults.
Government Cloud Breach Exposes CISA AWS GovCloud Keys
On May 15, Guillaume Valadon of GitGuardian reached out to the GitHub account owner because the usual automated alerts weren’t being heeded. He said the account had disabled the default GitHub setting that blocks users from publishing SSH keys or other secrets in public code repositories. “Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote in an email. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.” That’s a blunt admission that the leak wasn’t a sophisticated attack—it was a series of careless choices.
How the Repo Got Its Name
The repository was labeled “Private‑CISA” despite being fully public. That contradiction hinted at an internal mindset that treated the repo as a private scratchpad, not a curated project. The commit logs showed the administrator deliberately turned off GitHub’s secret‑scanning feature, a move that let the AWS‑Workspace‑Firefox‑Passwords.csv file sit in plain sight. The file listed usernames and passwords for dozens of internal CISA systems, including one called LZ‑DSO, short for “Landing Zone DevSecOps,” the agency’s secure code development environment.
What Went Wrong: A Checklist of Bad Practices
GitGuardian’s scanning tools flagged the repo because it contained multiple red flags:
- Plain‑text passwords in CSV files.
- Backup data stored directly in the Git history.
- Administrative AWS keys saved in a file named importantAWStokens.
- Disabling of GitHub’s built‑in secret detection.
- Commit messages that explicitly documented the disabling of security features.
Each of those items alone would raise eyebrows; together they formed a textbook example of poor security hygiene. That’s why security experts called the leak “one of the most egregious government data leaks in recent history.” The fact that a single contractor could compromise an entire segment of the federal cloud environment should make every agency double‑check its own repositories.
Inside the AWS Keys
Philippe Caturegli, founder of the security consultancy Seralys, took the exposed AWS keys and tested them. He confirmed the keys were still active and could access the underlying GovCloud accounts. “I tested the AWS keys only to see whether they were still valid and to determine which internal systems the exposed accounts could access,” Caturegli said. “The GitHub account that exposed the CISA secrets exhibits a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository.” That’s a chilling reminder that a single careless developer can open a backdoor to an entire agency’s cloud footprint.
Impact on Federal Cloud Security Policies
Since the leak, CISA hasn’t issued a detailed public response, but the incident has already nudged other federal agencies to revisit their own GitHub practices. The agency’s own guidelines now stress that any repository containing credentials must be private and that secret‑detection features should never be disabled. That’s a direct reaction to the kind of oversight that allowed the Private‑CISA repo to stay public for weeks.
Industry observers are also watching how the Department of Homeland Security (DHS) will handle the fallout, given that the exposed credentials were for systems that sit within DHS’s broader ecosystem. The breach could force a rethink of how contractors manage shared secrets across agency boundaries.
Potential Attack Vectors
If a threat actor had spotted the repo before GitGuardian’s alert, they could have used the AWS GovCloud keys to spin up new instances, exfiltrate data, or even pivot to other federal networks. The fact that the keys were still valid at the time of testing shows that the window of exposure was real, not just theoretical. That’s why the incident is being described as a “worst leak” by those who’ve seen it firsthand.
What This Means For Developers and Builders
For anyone who pushes code to public repositories, the lesson is simple: never store secrets in the repo, and never turn off the platform’s built‑in protections. If you need to keep credentials, use a dedicated secret manager and enforce strict access controls. That’s how you avoid turning a development sandbox into a public intelligence source.
Teams should also audit their commit histories for accidental leaks. Tools like GitGuardian, TruffleHog, or even GitHub’s native secret scanning can flag problems before they become public. And if you do discover a leak, respond fast—notify the platform, rotate the credentials, and audit for any misuse.
What This Means For You
If you’re building on AWS GovCloud, you now have a real‑world example of why you can’t treat cloud keys as disposable. Rotate any keys that might have been exposed, and consider implementing hardware‑based MFA for all privileged accounts. That’s the only way to limit damage if a similar mistake happens on your side.
Developers should also treat CSV files that contain passwords as highly sensitive. Encrypt them, store them out of version control, and enforce least‑privilege access. That’s a basic hygiene step that could have prevented the entire leak.
Looking ahead, will agencies adopt stricter tooling, or will they rely on contractors to self‑police? The answer will shape how securely the federal cloud can operate in an era where code moves faster than compliance can keep up.
Key Questions Remaining
Several unresolved issues hover over the incident. First, how many other contractors might be using similar “private” repos without proper safeguards? Second, what remediation steps will CISA take to audit its entire code base for hidden secrets? Third, will the federal procurement process be updated to require secret‑management compliance as a contract clause? Answers to these questions will determine whether this breach remains an isolated lapse or becomes a catalyst for broader reform.
“Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote.
“I tested the AWS keys only to see whether they were still valid and to determine which internal systems the exposed accounts could access,” Caturegli said.
For the full story, see the original report.
Sources: Krebs on Security, The Register
