CISA Contractor Leaks AWS GovCloud Keys on Public GitHub

A Nightwing contractor supporting the Cybersecurity and Infrastructure Security Agency inadvertently exposed administrative AWS GovCloud credentials, dozens of plaintext passwords for internal CISA systems, authentication tokens, and deployment details in a public GitHub repository named “Private-CISA.”

Public reporting indicates the repository functioned as the contractor’s personal scratchpad rather than an official project asset. Researchers discovered the exposed material on May 18, 2026, after which the repository was taken offline. Available reporting describes that the AWS keys remained valid for several hours even after notification to the responsible parties. No evidence of actual compromise has been confirmed, yet the presence of live administrative credentials for a U.S. government cloud environment classified the incident as high severity. Industry research from sources such as DoxxScan™ continuous monitoring indicates that credential leaks of this nature frequently surface in underground markets within days of exposure.

For executives and high-net-worth families, the incident underscores how even tightly controlled government supply chains can become vectors for credential leakage. Contractors with privileged access routinely handle sensitive keys that, once public, can be leveraged to pivot into corporate environments or personal cloud accounts. Families face parallel risks when household members, including children, reuse credentials across gaming platforms, school systems, and personal email. A single exposed password can cascade into full identity compromise when adversaries chain disparate data points together.

The doxxing and identity-chain implications are particularly acute. Exposed AWS keys and internal tokens often sit alongside usernames, email addresses, or project references that link pseudonymous handles to real-world identities. Once adversaries obtain these connections, they can map an executive’s professional footprint to family members’ gaming accounts, social-media profiles, and home addresses. What begins as a government contractor’s careless repository can accelerate targeted doxxing campaigns, SIM-swapping attempts, or ransomware demands against private individuals whose data was never intended for public view.

What to do

• Run a DoxxScan to map every link between your handles, emails, phone numbers, and real-world identity, using the 72hr free trial of Warden.
• Enable continuous DoxxScan monitoring across 15B+ breach records and 100+ platforms so the next credential exposure is flagged within hours rather than months.
• Immediately rotate any password used on the Nightwing or CISA-related systems wherever that same password appears, and enforce 2FA through an authenticator app instead of SMS.
• Cover the entire household with DoxxScan family protection, which extends to dependents and children’s gaming accounts that frequently chain back to the same email addresses or physical locations.
• For executives and family offices, layer on hands-on remediation specialists who can issue targeted takedown requests to data brokers and underground forums where leaked keys and tokens are traded.

The speed with which cloud credentials move from public repositories into adversary toolkits leaves little room for delayed reaction. Organizations and families alike require proactive visibility into credential exposure and rapid professional intervention when leaks occur. DoxxScan by GalaxyWarden delivers continuous monitoring across 15B+ breach records and 100+ platforms, AI-powered identity-chain mapping, hands-on remediation by specialists, and family or household coverage that explicitly includes children’s gaming accounts. Because credential leaks like the Nightwing incident routinely cascade into account takeovers and doxxing chains, such coverage protects both corporate and personal attack surfaces.

Source: https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/