Weak security controls around the use of public GitHub code repositories allowed a contractor for the Cybersecurity and Infrastructure Security Agency (CISA) to accidentally leak private cloud access keys and other sensitive credentials, CISA said in a report released Thursday.
“The individual had uploaded copies of a CISA build and deployment repository to their personal GitHub account for the purpose of creating cloud infrastructure autonomously,” two CISA officials, acting CIO Preston Werntz and acting CISO Brad Libbey, wrote in the report.
In preparing the repository for use, they said, the contractor also uploaded administrator and build credentials for CISA’s coding system, as well as infrastructure-as-code data — essentially instructions for managing cloud platform configurations — that included private access keys for services such as Amazon Web Services.
Independent security journalist Brian Krebs first reported on the leak — attributed to the government contractor Nightwing — in mid-May, setting off a firestorm of scrutiny as lawmakers pressed CISA for an explanation. The agency’s unusual release of an after-action report suggested that it was attempting to reassure members of Congress, industry partners and the public that its systems were secure and that it was implementing the necessary improvements to its processes and technology.
CISA said it first learned about the leak after Krebs requested a comment for his story and immediately began taking “swift and comprehensive action,” including taking the contractor’s GitHub repository offline and disabling their access to CISA systems.
By analyzing log files, CISA said, it determined there was no authorized use of the leaked credentials and that “no customer or mission data was exposed.”
The agency updated all passwords used in all development environments to which the contractor had access, not just the passwords that were leaked. It also updated the leaked cloud access keys, although it admitted that this process took “longer than anticipated” because of “the complexity of CISA’s systems and interconnections with federal and industry partners.”
CISA also “tuned the allow and deny lists for its code repositories” and blocked personnel from uploading data to public repositories to prevent future leaks.
Lessons learned from the leak
The bulk of CISA’s report is a description of how the incident highlighted what the agency was doing well and what it needed to improve.
Comprehensive logs allowed CISA to rule out the possibility of credential abuse and intrusions, but every organization needs to continuously improve its logging coverage and sophistication, the agency said. “To that end, CISA strategically identified further logging opportunities while conducting the incident response and has since implemented those additions to enhance visibility.”
The exposure of cloud access “secrets” such as AWS security keys reflected a particularly glaring oversight on CISA’s part, and the agency acknowledged its failure there. “No repository should contain secrets, yet secrets made it into CISA private repositories,” the agency said. “CISA has since rotated all secrets and created an action plan to improve management of developer secrets and to better monitor for exposed secrets going forward.”
CISA has spent years urging organizations to create playbooks for responding to different kinds of incidents. But despite those exhortations, CISA itself didn’t have a playbook for a cloud security leak via GitHub. As a result, the agency said, it “had to spend time building one during the early stages of the incident.”
In addition, while CISA officials constantly emphasize how easy it is to report a cyber incident to the agency, the public disclosure of the GitHub leak — which occurred because the security researcher who discovered it couldn’t figure out how to contact the agency and went to the press instead — underscored CISA’s failure to establish clear channels for reporting incidents involving its own technology.
“To reduce ambiguity, CISA is refining its reporting channels to make them easier and faster for researchers to use,” the agency said.
In detailing its response to the GitHub leak, CISA indicated that it hoped other organizations would be similarly candid when they experienced similar situations.
“It is not a matter of ‘if,’ but ‘when’ a cybersecurity incident will happen to your organization,” the agency said. “It is important to the broader cybersecurity community that we address these matters openly to strengthen trust and foster transparency.”

