What happened
US Senator Maggie Hassan sent a letter to CISA Acting Director Nick Andersen on Tuesday demanding answers and a classified briefing about an alleged security incident involving a public GitHub repository that reportedly exposed AWS credentials and other sensitive information belonging to the agency.
The incident was uncovered by security researcher Guillaume Valadon of GitGuardian, who discovered a GitHub repository containing CISA credentials, including cloud keys, tokens, plaintext passwords, and logs. The account was taken offline after cybersecurity reporter Brian Krebs contacted CISA about it. The AWS keys reportedly remained valid for two additional days after the initial contact before being removed. The repository was associated with government contractor Nightwing.
CISA confirmed it is aware of the reported exposure and investigating the situation, stating there is currently no indication that sensitive data was compromised. Hassan said the agency’s statement leaves unanswered questions about the policies and procedures that made the incident possible and attached 12 specific questions to her letter. She requested a briefing before June 5. Hassan’s letter also contextualizes the incident against significant organizational disruption at CISA since January 2025, including a one-third workforce reduction, budget cuts, cancellation of election security programs, disbanding of advisory bodies, and leadership instability following the removal of the previous acting director.
Who is affected
CISA’s internal systems and any infrastructure accessible through the exposed credentials face potential exposure depending on whether the keys were accessed before invalidation. The broader concern extends to any critical infrastructure operators, government agencies, or partner organizations whose security posture depends on CISA’s operational integrity and the confidentiality of its internal tooling and access credentials.
Why CISOs should care
A cybersecurity agency exposing cloud credentials on a public GitHub repository is a significant operational security failure regardless of whether the credentials were accessed. The two-day window between external notification and key invalidation is itself a concerning response timeline for an agency whose core function is helping other organizations prevent exactly this type of credential exposure.
The incident also raises a governance question that applies to any organization: if the agency responsible for national cyber defense guidance has internal procedures that allowed cloud credentials to reach a public repository and remain valid after notification, what does that indicate about the operational security culture and capacity at an agency that has lost a third of its workforce?
3 practical actions
- Implement automated secret scanning across all code repositories used by your organization and contractors: The CISA incident involved credentials in a public repository. Tools that automatically scan for exposed secrets, API keys, and credentials in commits before or immediately after they are pushed provide detection that does not depend on external researchers finding the exposure first.
- Enforce short-lived credential policies and automated rotation for cloud access keys: AWS credentials that remained valid for two days after external notification represent an unnecessarily long exposure window. Implement maximum credential lifetime policies, automated rotation schedules, and break-glass revocation procedures that can invalidate keys within minutes of a suspected exposure being identified.
- Extend secret scanning requirements to contractor and third-party developer environments: The repository was associated with a government contractor rather than a direct CISA employee. Ensure that your organization’s secret management policies, scanning requirements, and credential hygiene standards apply to contractors and third parties with access to your systems, with contractual obligations and audit rights to verify compliance.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.