A newly uncovered GitHub exposure involving a CISA contractor leaked privileged AWS GovCloud credentials, plaintext passwords, and internal DevSecOps infrastructure details in what researchers are calling one of the most severe public-sector secret leaks in recent memory.
Dan Moore, Sr. Director, CIAM Strategy & Identity Standards at FusionAuth had this comment:
“A public GitHub repo sat open for six months. AWS GovCloud admin keys. Plaintext passwords. The works.
Researchers at Seralys and KrebsOnSecurity flagged it to CISA and were ignored. When the repo finally came down, the AWS keys stayed live for another 48 hours.
The hygiene failure created the exposure. Ignoring responsible disclosures extended it. But the static, long-lived credentials are the architectural problem that underlies both of those issues. An exposed static secret stays leaked until someone manually kills it. That’s a design error, not a simple mistake.”
This is an epic #fail by a group that should know better. Seriously, heads need to roll over this.
Related
This entry was posted on May 19, 2026 at 12:51 pm and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
WTF? CISA Admin Leaked AWS GovCloud Keys on Github
A newly uncovered GitHub exposure involving a CISA contractor leaked privileged AWS GovCloud credentials, plaintext passwords, and internal DevSecOps infrastructure details in what researchers are calling one of the most severe public-sector secret leaks in recent memory.
Dan Moore, Sr. Director, CIAM Strategy & Identity Standards at FusionAuth had this comment:
“A public GitHub repo sat open for six months. AWS GovCloud admin keys. Plaintext passwords. The works.
Researchers at Seralys and KrebsOnSecurity flagged it to CISA and were ignored. When the repo finally came down, the AWS keys stayed live for another 48 hours.
The hygiene failure created the exposure. Ignoring responsible disclosures extended it. But the static, long-lived credentials are the architectural problem that underlies both of those issues. An exposed static secret stays leaked until someone manually kills it. That’s a design error, not a simple mistake.”
This is an epic #fail by a group that should know better. Seriously, heads need to roll over this.
Share this:
Like this:
Related
This entry was posted on May 19, 2026 at 12:51 pm and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.