A contractor for CISA maintained a public GitHub repository that exposed administrative credentials for multiple AWS GovCloud accounts and plaintext passwords for dozens of internal CISA systems. The repository also contained sensitive files related to CISA's software development and deployment processes. The exposure was discovered by a security researcher who alerted CISA. The AWS keys were confirmed valid and granted high privilege access. The repository was used as a synchronization workspace by the contractor, who disabled GitHub's default secret detection. CISA has acknowledged the incident and is investigating, with no confirmed data compromise at this time.

The exposure of highly privileged AWS GovCloud credentials and internal system passwords could have allowed unauthorized access to critical CISA infrastructure and internal systems. The leak of software build and deployment details increases the risk of persistent backdoors or lateral movement within CISA networks if exploited. Although CISA reports no current indication of compromise, the incident represents a significant operational security failure and could have led to severe consequences if exploited by threat actors.

CISA has taken the exposed GitHub repository offline and is investigating the incident. The exposed AWS keys remained valid for 48 hours after the repository was removed, indicating a need for immediate key revocation and credential rotation. Organizations should ensure that secret scanning features are enabled on code repositories and enforce strict credential management policies. CISA is implementing additional safeguards to prevent future occurrences. Patch status is not applicable as this is a credential exposure incident rather than a software vulnerability.