A Nightwing contractor exposed highly privileged AWS GovCloud keys, plaintext passwords, and internal CISA credentials in a public GitHub repo for months.
Key Takeaways
Repo named “Private-CISA” included files like importantAWStokens and AWS-Workspace-Firefox-Passwords.csv with plaintext creds for three AWS GovCloud accounts.
The contractor manually disabled GitHub’s secret-scanning protection, then committed SSH keys, CSVs of passwords, and backup files to a public repo.
Exposed artifactory credentials are a critical supply-chain risk: attackers could backdoor code packages and propagate malware on every new build.
AWS keys remained valid for 48 hours after CISA was notified, suggesting slow or incomplete credential rotation procedures.
Passwords followed a pattern of platform name plus year (e.g., platform2025), a weak convention that would be dangerous even without public exposure.
