Mastodawn

New, by me: CISA Admin Leaked AWS GovCloud Keys on GitHub

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/

BrianKrebs 6d ago

It's possible this set of instructions by the CISA contractor might have caused all the trouble:

@briankrebs dying to know how that person was selected

skategoat 🐐 🇵🇸6d ago

@Viss @briankrebs they probably get a lot done very quickly

@briankrebs because i actually reached out to cisa in the past, asking how to work for them. they told me the only way to do it was unpaid, and condesendingly told me i should do it 'because i love my country'. many others were getting paid. so, needless to say, theres a little club, and im not in it.

but this guy was.
so i reeeeeally wanna know

@briankrebs Yes and disabling the warnings and pushing creds in plain text to repos and having it public and having all of them in one repo and then it's for CISA... that is as FUBAR as it can get.

Rihards Olups 6d ago

@briankrebs Where are these from? Didn’t see in the article.

BrianKrebs 6d ago

@richlv from dude's exposed GitHub repo.

Cityhallin 5d ago

@briankrebs @richlv The most honeypot-like non-honeypot files I've ever seen.

MissConstrue 5d ago

@cityhallin @briankrebs @richlv

Right? RIGHT?! If I had seen this repository, I would have assumed honeypot for stupid people. I mean HeresMyPasswords.txt, for the love of Bob. I know it wasn’t quite that bad, but yes it was. Jeezycreezy.

Rihards Olups 5d ago

@briankrebs It didn't look like slopmachine instructions, was that just them documenting things locally?

TheTomas 6d ago

@briankrebs Seems this dude doesn't know how git works and the organisation did not enforced Separation of work and private stuff (on different devices!).

@TheTomas @briankrebs github encourages the mixing, because even with a paid corporate github setup, you can't tell who your employees are, and whether it's a brand new or personal account. So to "properly" fix this, you must stand up your own git instances instead (with their own user account partitioned off from public logins).

TheTomas 5d ago

@trouble @briankrebs Well, there is a reason why I don’t use Microsoft GitHub. I also recommend using your own GitLab or Forgejo instances, public or private, with GitHub serving as a mirror at most.

@TheTomas @briankrebs well that's not how governments work. Anything they can contract out, they will. Bidding processes are required to be open.

Of course, personally I follow good separation/cleanliness practices and have separate logins for personal and work stuff. Ditto for hardware. I might occasionally ssh from a work machine to my personal spaces, but that's about it. I feel sorry for those that don't, e.g. personal photos, docs on a work device that gets remotely wiped.

Edvin Malinovskis 5d ago

@briankrebs are these LLM instructions or a note to self kind of deal? 😬

@briankrebs How does CISA get to hire someone like that?

Websters: Hack (adjective): "working for hire especially with mediocre professional standards."

John Breen 6d ago

@briankrebs Are you seriously telling me that somebody stored AWS govcloud secrets in a github repo ? In a file called "Important AWS Tokens" ? Do they not know who github is ? Is it intentional ?

Has that person been fired into the sun yet, along with whoever hired them ?

Guillotine Jones, Flâneur 6d ago

@jab01701mid @briankrebs
Was the miscreant who stored high-security US government info on a github repo a Musk DOGE bro, by any chance?
Asking for the schadenfreude.

John Breen 6d ago

@Guillotine_Jones @briankrebs Q: How can I exfilltrate secrets without being seen to be exfilltrating secrets ?
A: github

Sean Riley 6d ago

@jab01701mid @briankrebs

At some point its intentional. When you have that type of access it should be assumed it is.

@jab01701mid @briankrebs isn't the real wtf storing secrets in a git repo, let alone pushing it to github?

John Breen 6d ago

@GerardThornley @briankrebs I guess you have to store secrets somewhere, in your source or CI/CD pipeline playbook. I hope people are not checking in private keys, or the CEO's email password.

But govcloud IIRC is basically AWS but "secure for fedramp". Then using "github" for your source control is like the Manhattan Project keeping their notebooks in the local college library, but in a locked room.

Legit_Spaghetti 6d ago

one of the most egregious government data leaks in recent history

The word "recent" is doing a lot of heavy lifting here. Like, this is a colossal fuckup, but we've had a lot of other colossal fuckups recently, so... y'know, context.

Dr. Christopher Kunz 6d ago

@Legit_Spaghetti @briankrebs "recent history" as in "this week".

And it's only Tuesday, so...

@briankrebs We blame an AI agent for this....

What a fuck-up!!!

RTG-powered Vel 6d ago

@theyosh AI agents don't do this. stupidity does.

@briankrebs He surely covered the A in the CIA triad very well. The availability of the keys is global.

Bernard Quatermass 6d ago

@briankrebs ooops-sec

Where Chuck once stood, only I will remain.6d ago

@briankrebs That sounds pretty bad, sure- but remember, whomever is left over there has the most important thing, which is loyalty.

@chux0r @briankrebs This is correct. The regime shitcanned everyone associated Biden’s CISA, including the contractors and brought their own people in. Watched it happen

Jonathan Hendry 6d ago

Lol. "You idiot you're supposed to improve security not facilitate security failures!"

@briankrebs oh. k8s. that tells me everything i need to know

hufnagel 🏳️‍🌈 🐧🔆6d ago

@briankrebs
Seems they don't have anything to hide 🫣

Guillotine Jones, Flâneur 6d ago

@Hufnagel @briankrebs
...They don't have anything to hide anymore.

@briankrebs government contractors representing massive security threats? Say it ain't so... Why didn't this pop up on my palantir dashboard???

@briankrebs I shouldn't be laughing.

Workspace is misspelled.

Important tokens, as opposed to the unimportant ones.

@briankrebs I'm out of popcorn ... but there's a theater a few blocks away! Back in a sec to read this.

@briankrebs Ok ... my bad. I'm going back out for 1.5 Liters of tequila and some cyanide (for myself).

You gotta be KIDDING me!

LAHosken 🇺🇸👀6d ago

@briankrebs The White House got mad at that other Krebs guy for "censorship" at CISA. https://www.whitehouse.gov/presidential-actions/2025/04/addressing-risks-from-chris-krebs-and-government-censorship/ I guess he was censoring the keys then?

Addressing Risks from Chris Krebs and Government Censorship

MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES The Federal Government has a constitutional duty and a moral responsibility to respect and

The White House

Kevin Ashworth 6d ago

@briankrebs
How Musk-esque of him.

@briankrebs 😮

SomeVeganCheeseIsOk 6d ago

@briankrebs oh jeez

@briankrebs vibe security

Krypt3ia 6d ago

@briankrebs Our tax dollars at work

@krypt3ia @briankrebs which is ironic, because ive talked to almost half a dozen shops who cisa was paying as their outsourced assessment teams, but when i asked to be one of those they told me to fuck off, then 'how dare you'd me because i asked to be paid for my work. i have all the receipts. made sure to keep those emails tagged.

Krypt3ia 6d ago

@Viss @briankrebs No bid contract

@briankrebs “Currently, there is no indication that any sEnSiTIVe datA was compromised as a result of this incident,” the CISA spokesperson wrote. "I mean, of course, sensitive data was exposed, but not sEnSiTIVe datA."

@bbdd333 @briankrebs no logs no crime!

SpaceLifeForm 6d ago

CISA should know better than to use Cloud. AWS in particular. SMH.

boombastic 6d ago

@briankrebs this is unbelievable

@briankrebs bruh what the fuck lmao

Anthony David 6d ago

The millionth strike against the myth the of efficiency of outsourcing.

Anthony David 6d ago

30 years ago, we used a physical safe for such things. This digital approach is more 'efficient'.

Snake Oil Salesman 6d ago

@briankrebs csv password docs... wow, just wow.

Henning Paul DC4HP 6d ago

@briankrebs Worskpace

Pxl Phile 6d ago

@briankrebs can't make this shit up 😳 anyway I am off for some gardening, enough of those pesky computers

GrumpyDad 🇺🇦🇵🇸6d ago

@briankrebs There's no way this is not intentional.