What they're not telling you: # CISA Admin Leaked AWS GovCloud Keys on GitHub A contractor working for the nation's top cybersecurity agency deliberately disabled GitHub's automatic secret-detection system, then uploaded administrative credentials to classified government cloud servers in a public repository for anyone on the internet to steal. The exposure lasted until May 15, 2024, when security researcher Guillaume Valadon at GitGuardian alerted CISA that its own internal repository—named "Private-CISA," a label that now reads like dark comedy—contained what Valadon called "the worst leak that I've witnessed in my career." The repository harbored AWS GovCloud administrative keys, plaintext passwords stored in a file literally named "importantAWStokens," and a spreadsheet called "AWS-Workspace-Firefox-Passwords.csv" listing credentials to dozens of internal CISA systems in plain text. One compromised system, "LZ-DSO" (Landing Zone DevSecOps), appears to be CISA's own infrastructure-as-code deployment pipeline.
What the Documents Show
CISA's official position, as relayed through standard agency channels, frames this as a singular contractor error—a mistake by an individual who failed to follow protocol. This framing collapses under the weight of the actual evidence. The contractor didn't accidentally commit secrets to GitHub. The commit logs show explicit commands disabling GitHub's default secret-detection feature. Valadon documented the specificity of this sabotage: "Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature." This wasn't negligence.
Follow the Money
This was deliberate circumvention of security controls. The repository remained publicly accessible long enough for any adversary—Chinese intelligence, Russian SVR operatives, Iranian IRGC units, or freelance criminals—to clone the entire archive and extract credentials. No public statement from CISA has identified the contractor by name or provided even basic accountability details: How long had this repository been public? Who approved the contractor's access to GovCloud credentials? What systems have been audited for unauthorized access since the exposure was discovered? How many other CISA contractors maintain similar repositories?
What Else We Know
The scope of exposure extends beyond embarrassment. Valadon noted that the leaked files detailed "how CISA builds, tests and deploys software internally"—meaning adversaries didn't just gain temporary access to systems, they gained architectural blueprints to CISA's operational security posture. They learned which tools CISA uses, where they store code, how they verify deployments, and which personnel have which access levels. This is the kind of intelligence that doesn't depreciate. It compounds in value for hostile state actors planning future intrusions into other federal agencies. CISA exists specifically to prevent this kind of exposure.
What strikes me about this story is how perfectly it exposes the gap between CISA's mandate and its actual security culture. The agency preaches zero-trust architecture and secrets management best practices to every financial institution and electric utility in America while its own contractors are committing plaintext passwords to public repositories.
The pattern here is institutional capture through bureaucratic diffusion. When the agency responsible for defending critical infrastructure gets caught sabotaging its own security infrastructure, accountability vanishes into inter-agency investigations that produce no public findings. CISA benefits from this silence because acknowledging systemic security failure would undermine its credibility to regulate others. Congress benefits because oversight of intelligence agencies is performative theater. The contractor benefits because federal employment law shields them from prosecution in ways private-sector employees would never enjoy.
Watch whether CISA ever publicly identifies this contractor or discloses what access was actually compromised. That answer will tell you whether you can trust anything this agency says about your own security.
Primary Sources
- Source: Hacker News
- Category: Government Secrets
- Cross-reference independently — don't take our word for it.
Disclosure: NewsAnarchist aggregates from public records, API feeds (Federal Register, CourtListener, MuckRock, Hacker News), and independent media. AI-assisted synthesis. Always verify primary sources linked above.