A public repository maintained by a CISA contractor-ironically named "Private-CISA"-contained 844 megabytes of sensitive data, including administrative credentials for AWS GovCloud accounts, CI/CD logs, Kubernetes manifests, and internal documentation.
The repository was created on November 13, 2025, and sat exposed for roughly six months before secrets-detection firm GitGuardian discovered it on May 14, 2026.
One file, labeled "importantAWStokens," held admin credentials for three AWS GovCloud accounts. Another exposed plaintext passwords for internal systems. The repo also included GitHub tokens, sensitive YAML configuration files, and references to CISA's own software-building environment-touching the agency's internal software supply chain.
After GitGuardian flagged the issue, the repository was taken down within about 26 hours. However, some exposed AWS keys remained valid for an additional 48 hours after deactivation. CISA has stated there is currently no indication that any data was compromised.
Independent journalist Brian Krebs first reported the breach. The incident underscores the kind of supply chain risk CISA has spent years warning others to mitigate, particularly after the SolarWinds attack in 2020.