ACCORDING to KrebsOnSecurity, a CISA contractor maintained a public GitHub repository that exposed credentials to several AWS GovCloud accounts and a large number of internal CISA systems, including cloud keys, tokens and plaintext passwords. The repository, named Private-CISA, was flagged by Guillaume Valadon of GitGuardian on May 15, after his firm’s automated scans detected the exposure.
One of the exposed files, “importantAWStokens,” contained administrative credentials to three AWS GovCloud servers, while another, “AWS-Workspace-Firefox-Passwords[.]csv,” listed plaintext usernames and passwords for dozens of internal CISA systems, including an environment called LZ-DSO.
Caturegli, founder of Seralys, said he validated that the exposed credentials could authenticate to three AWS GovCloud accounts at high privilege, and that the archive also included plain text access to CISA’s internal artifactory. The Private CISA repo was created on 13 November 2025, and the contractor’s GitHub account remained online for 48 hours after the leak was reported before being taken down.