Accidental Exposure on GitHub
The CISA administrator posted a code repository to GitHub on Monday that contained hardcoded AWS GovCloud access keys paired with the corresponding secret keys, according to the agency. The repository was intended for internal use but was mistakenly set to public visibility. A security researcher scanning GitHub for exposed credentials discovered the keys on Wednesday and immediately filed a responsible disclosure notice to CISA through a government vulnerability reporting channel.
The exposed credentials granted administrative-level access to multiple CISA GovCloud accounts, including those housing sensitive interagency threat intelligence feeds and internal analytical tools. AWS GovCloud is an isolated cloud region designed to host controlled unclassified information and other sensitive workloads for U.S. government customers.
CISAβs Office of the Chief Information Officer revoked the keys within three hours of receiving the notice, and an audit of API call logs over the exposure window is now underway. βNo evidence of unauthorized access has been identified to date, but the forensic review continues,β a CISA spokesperson said Thursday.
Broader Government Tech Vulnerabilities
The incident underscores persistent challenges in securing government cloud deployments against human error. Hardcoding credentials in source code remains a common misconfiguration, despite automated scanning tools and pre-commit hooks that can prevent such leaks. The exposure comes as multiple federal systems face active threats. Earlier this month, researchers warned of active exploitation of a high-severity Ivanti EPMM vulnerability that grants admin-level access to enterprise mobile management consoles, another vector that puts sensitive government networks at risk.
Administrator credential leaks are especially damaging in GovCloud environments, where workloads often handle critical infrastructure data. In CISAβs case, the AWS keys also had permissions to create and modify Identity and Access Management (IAM) roles, potentially allowing an attacker to escalate privileges silently. Security analysts note that even brief exposure from Monday to Wednesday could have allowed a sophisticated actor to exfiltrate data.
Review and Remediation
CISA has initiated an internal investigation into how the code escaped standard review processes. The agency said it will mandate immediate credential rotation across all GovCloud accounts and enforce stricter secrets-scanning rules in its continuous integration pipelines. The administrator involved has not been publicly identified, and no disciplinary details have been released. The incident also prompted CISA to issue an emergency directive requiring all sub-agencies to recheck their GitHub repositories for hardcoded secrets.
Government technology oversight remains a contentious topic, as evidenced by a recent federal court decision in which a judge granted Anthropic a preliminary injunction against Trump administration restrictions on AI defense systems. That case highlighted legal tensions around how federal agencies manage and secure sensitive technical assets.
What Comes Next
CISA officials are scheduled to brief the House Homeland Security Committee on the leak within two weeks. The agency also plans to release a public summary of its forensic findings by mid-June, provided no classified details must be redacted. In the interim, all personnel with access to GovCloud environments will undergo mandatory retraining on secure software development practices, with a focus on credential management and repository hygiene.
The security researcher who reported the leak received a formal acknowledgment from CISA and will be publicly recognized at an upcoming interagency cybersecurity summit. The incident adds urgency to a government-wide initiative announced in April that aims to eliminate hardcoded credentials from federal systems by the end of 2027.
