A public repo maintained by a CISA contractor, ironically named “Private-CISA,” contained 844 MB of sensitive data including administrative credentials for AWS GovCloud accounts, CI/CD logs, Kubernetes manifests, and internal documentation. The repository was created on November 13, 2025, and sat in the open for roughly six months before secrets-detection firm GitGuardian discovered it on May 14, 2026.
What was actually exposed
One file, helpfully named “importantAWStokens,” contained admin credentials for three AWS GovCloud accounts. Another exposed plaintext credentials for internal systems.
Beyond the passwords, the repo included GitHub tokens, sensitive YAML configuration files, and references to CISA’s own software-building environment. That last detail is particularly concerning because it suggests the exposure touched the agency’s internal software supply chain.
After GitGuardian flagged the issue, the repository was taken down within approximately 26 hours, by May 15, 2026. Some of the exposed AWS keys remained valid for an additional 48 hours after the repo was deactivated.
CISA has stated there is currently no indication that any sensitive data was compromised as a result of the incident.
The irony is doing heavy lifting
Independent journalist Brian Krebs first reported on the exposure. The incident was a contractor problem, not a direct CISA employee error. The fact that a contractor’s repo contained references to CISA’s own build environment echoes the kind of supply chain risk the agency has spent years telling others to mitigate, most notably in the wake of the SolarWinds attack in 2020.
Why crypto and digital asset firms should pay attention
For crypto firms relying on AWS, GCP, or Azure for custody infrastructure, node operations, or exchange backends, this incident is a case study in what not to do. Cloud keys with administrative access are functionally equivalent to private keys in the blockchain world. The fact that CISA’s exposed keys remained valid for 48 hours post-takedown would have been more than enough time for an attacker to pivot through connected systems.
A protocol can have a flawless audit from a top-tier firm and still get compromised because someone on the DevOps team pushed a .env file to a public repo. The same CI/CD pipelines, the same Kubernetes clusters, the same cloud provider APIs that power government systems also underpin major crypto exchanges and custodians.
