What they're not telling you: # CISA Admin Leaked AWS GovCloud Keys on GitHub A CISA contractor disabled GitHub's built-in secret-detection feature and then uploaded the nation's most sensitive cybersecurity infrastructure credentials to a public repository named "Private-CISA," exposing administrative access to three AWS GovCloud servers and plaintext passwords to dozens of internal systems before a private security researcher had to manually alert the agency days later. The repository—live on GitHub until this past weekend—contained what Guillaume Valadon, a researcher at GitGuardian, described as "the worst leak that I've witnessed in my career." Valadon's firm runs continuous scans of public code repositories to flag exposed secrets. When the unnamed CISA contractor didn't respond to automatic alerts, Valadon escalated to KrebsOnSecurity on May 15, essentially doing CISA's own job for it.
What the Documents Show
The agency's response time remains undisclosed, but the fact that a private security company had to shame them into action is itself the story. The contents read like an instruction manual for breaching the federal government's cybersecurity apparatus. One file, titled "importantAWStokens," contained administrative credentials to three separate AWS GovCloud accounts—the Amazon cloud infrastructure legally required to host classified and sensitive U.S. Another file, "AWS-Workspace-Firefox-Passwords.csv," listed usernames and passwords in plaintext for dozens of internal CISA systems, including one labeled "LZ-DSO," shorthand for "Landing Zone DevSecOps," the infrastructure tool CISA uses to build, test, and deploy its own software. But here's what distinguishes this from garden-variety incompetence: the contractor *intentionally* disabled GitHub's default secrets detection feature.
Follow the Money
Valadon documented it in the commit logs. This wasn't negligence—it was an affirmative choice to bypass a security control. The logs also showed plaintext passwords stored in CSV files and backups committed directly to a public repository. Every decision point involved overriding a protective mechanism. The exposed files detailed CISA's internal build, test, and deployment processes—essentially the blueprint for how the nation's cybersecurity agency operates at the most foundational level. When GitGuardian finally forced action, the repository was scrubbed.
What Else We Know
The Cybersecurity & Infrastructure Security Agency, tasked by Congress to secure federal infrastructure, had to be informed of a critical breach of its own infrastructure by a third party. The contractor remains unnamed in all public reporting. So does their supervisor. So does whoever approved or failed to catch this arrangement. CISA Director Jen Easterly has made no public statement. The DHS Inspector General has not announced an investigation.
Primary Sources
- Source: Hacker News
- Category: Government Secrets
- Cross-reference independently — don't take our word for it.
Disclosure: NewsAnarchist aggregates from public records, API feeds (Federal Register, CourtListener, MuckRock, Hacker News), and independent media. AI-assisted synthesis. Always verify primary sources linked above.