1010.cx

  • CISA Admin Leaked AWS GovCloud Keys on Github

    ·

    , , , , , , , , , , ,

    Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

    On May 15, KrebsOnSecurity heard from Guillaume Valadon, a researcher with the security firm GitGuardian. Valadon’s company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures. Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive.

    A redacted screenshot of the now-defunct “Private CISA” repository maintained by a CISA contractor.

    The GitHub repository that Valadon flagged was named “Private-CISA,” and it harbored a vast number of internal CISA/DHS credentials and files, including cloud keys, tokens, plaintext passwords, logs and other sensitive CISA assets.

    Valadon said the exposed CISA credentials represent a textbook example of poor security hygiene, noting that the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories.

    “Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote in an email. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”

    One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers. Another file exposed in their public GitHub repository — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems. According to Caturegli, those system included one called “LZ-DSO,” which appears short for “Landing Zone DevSecOps,” the agency’s secure code development environment.

    Philippe Caturegli, founder of the security consultancy Seralys, said he tested the AWS keys only to see whether they were still valid and to determine which internal systems the exposed accounts could access. Caturegli said the GitHub account that exposed the CISA secrets exhibits a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository.

    “The use of both a CISA-associated email address and a personal email address suggests the repository may have been used across differently configured environments,” Caturegli observed. “The available Git metadata alone does not prove which endpoint or device was used.”

    The Private CISA GitHub repo exposed dozens of plaintext credentials for important CISA GovCloud resources.

    Caturegli said he validated that the exposed credentials could authenticate to three AWS GovCloud accounts at a high privilege level. He said the archive also includes plain text credentials to CISA’s internal “artifactory” — essentially a repository of all the code packages they are using to build software — and that this would represent a juicy target for malicious attackers looking for ways to maintain a persistent foothold in CISA systems.

    “That would be a prime place to move laterally,” he said. “Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right.”

    In response to questions, a spokesperson for CISA said the agency is aware of the reported exposure and is continuing to investigate the situation.

    “Currently, there is no indication that any sensitive data was compromised as a result of this incident,” the CISA spokesperson wrote. “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”

    A review of the GitHub account and its exposed passwords show the “Private CISA” repository was maintained by a contractor employed by Nightwing, a government contractor based in Dulles, Va. Nightwing declined to comment, directing inquiries to CISA.

    CISA has not responded to questions about the potential duration of the data exposure, but Caturegli said the Private CISA repository was created on November 13, 2025. The contractor’s GitHub account was created back in September 2018.

    The GitHub account that included the Private CISA repo was taken offline shortly after both KrebsOnSecurity and Seralys notified CISA about the exposure. But Caturegli said the exposed AWS keys inexplicably continued to remain valid for another 48 hours.

    The now-defunct Private CISA repo showed the contractor also used easily-guessed passwords for a number of internal resources; for example, many of the credentials used a password consisting of each platform’s name followed by the current year. Caturegli said such practices would constitute a serious security threat for any organization even if those credentials were never exposed externally, noting that threat actors often use key credentials exposed on the internal network to expand their access after establishing initial access to a targeted system.

    “What I suspect happened is [the CISA contractor] was using this GitHub to synchronize files between a work laptop and a home computer, because he has regularly committed to this repo since November 2025,” Caturegli said. “This would be an embarrassing leak for any company, but it’s even more so in this case because it’s CISA.”

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • 10 Top OSINT Tools Every Investigator Should Know in 2026

    ·

    , , , ,
    Modern OSINT platforms rely more on AI and automation, while older social tracking methods keep losing access due to privacy and API restrictions.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • New Reaper Malware Uses Fake Microsoft Domain to Steal macOS Passwords

    ·

    , , , , , , , ,
    The newly discovered Reaper malware bypasses Apple’s macOS Tahoe 26.4 security updates to steal passwords, crypto assets, and install a permanent backdoor.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • INTERPOL Operation Ramz Disrupts MENA Cybercrime Networks with 201 Arrests

    ·

    INTERPOL has coordinated a first-of-its-kind cybercrime crackdown across the Middle East and North Africa (MENA) that led to 201 arrests and the identification of an additional 382 suspects. The initiative involved the efforts of 13 countries from the region between October 2025 and February 2026, aiming to investigate and neutralize malicious infrastructure, arrest perpetrators behind these

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • 10 Tips for Phrasing Employee Feedback in Reviews

    ·

    ,
    Performance reviews inside cybersecurity teams carry unusually high stakes. Security analysts, incident responders, IT administrators, and compliance staff…

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More

    ·

    Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted. The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Government Backed Hackers Abuse Cloudflare in Malaysian Espionage Campaign

    ·

    , , , , , , , , , , ,
    Government Backed Hackers abused Cloudflare storage services in a Malaysian espionage campaign involving hidden C2 systems and data exfiltration.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • How to Reduce Phishing Exposure Before It Turns into Business Disruption

    ·

    What happens when a phishing email looks clean enough to pass through security, but dangerous enough to expose the business after one click? That is the gap many SOCs still struggle with: the attacks that leave teams unsure what was exposed, who else was targeted, and how far the risk has spread. Early phishing detection closes that gap. It helps teams move from uncertainty to evidence faster,

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Continuous Detection, Continuous Response: Mate Security Redefines the Modern SOC

    ·

    , , , ,
    New York, USA, 18th May 2026, CyberNewswire

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • World Premiere Of “Midnight In The War Room” Documentary At Black Hat Vegas

    ·

    This week in cybersecurity from the editors at Cybercrime Magazine

    Sausalito, Calif. – May. 18, 2026

    Watch the trailer

    Black Hat, the cybersecurity industry’s most established and in-depth security event series, and Semperis, the identity-driven cyber resilience and crisis management company, announced that the world premiere of the groundbreaking cyberwar documentary Midnight in the War Room will take place Wed., Aug. 5, 2026, during Black Hat USA, at the Mandalay Bay Convention Center in Las Vegas.

    Founded in 1997, Black Hat has grown from a small gathering of security researchers to the global platform where the cybersecurity community convenes, bringing together practitioners, CISOs, policymakers, academics, and business leaders to confront the world’s most pressing security challenges. That same evolution—from a “technical problem” to a board‑level and societal issue—is at the heart of Midnight in the War Room, which chronicles the escalating cyber conflict among nation states, criminal groups, and the defenders on the front lines.

    The film features leading voices in cybersecurity and national security who have long shaped conversations on Black Hat stages, including Chris Inglis, first U.S. National Cyber Director; Jen Easterly, former Director of the Cybersecurity and Infrastructure Security Agency (CISA); Joe Tidy, Cyber Correspondent at the BBC; and John Hammond, cybersecurity educator and influencer.

    Additional contributors include General (Ret.) David Petraeus, former Director of the Central Intelligence Agency (CIA); Marcus Hutchins, the security researcher who helped stop WannaCry; and Professor Mary Aiken, world-renowned cyber psychologist—alongside more than 50 global experts, defenders, journalists, and reformed hackers. Together, they reflect the same diverse and influential community that has defined Black Hat for nearly three decades.

    “For almost 30 years, Black Hat has been the place where the world’s most respected security voices challenge assumptions and push the industry forward,” said Suzy Pallett, President, Black Hat. “Partnering with the producers of Midnight in the War Room for the world premiere of the film builds on that legacy—amplifying the stories of intelligence leaders, CISOs, journalists, victims, and reformed hackers whose work and lived experiences have shaped the conversations on our stages. Together, we’re shining a light on the people whose expertise, vigilance, and refusal to back down underpin our collective resilience.”

    Midnight in the War Room places particular focus on the emotional and psychological toll of cyber defense, especially for Chief Information Security Officers (CISOs) responsible for safeguarding essential infrastructure. The film also offers rare insight from former attackers—some of whom served prison sentences—providing an unfiltered look into the adversarial mindset. The result is an unvarnished portrait of cyberwar as a deeply human struggle marked by courage, burnout, moral complexity, and an unrelenting sense of responsibility.

    “This project is unlike anything our industry has seen,” said Thomas LeDuc, Chief Marketing Officer at Semperis and Executive Producer of the film. “Cybersecurity is full of powerful, cinematic stories—but, for too long, they’ve gone untold. Midnight in the War Room tells the story of our industry from the inside, through the voices of the CISOs and defenders living it every day, not from the outside looking in. It shows what’s really at stake—the human toll, the pressure, and the responsibility—and gives the people on the front lines something they can point to and say, ‘This is why I do it.’ We’re honored to partner with Black Hat on the world premiere, and grateful to Suzy and her team for their dedication to the cyber community.”

    Midnight in the War Room is produced by Semperis Studios and filmed across North America and Europe. In addition to the Black Hat world premiere, Semperis is partnering with leading cybersecurity and professional organizations—including the Cyber Future Foundation (CFF), the Institute for Critical Infrastructure Technology (ICIT), (ISC)², and Women in CyberSecurity (WiCyS), among many others—to co-host private preview screenings and expert panels, raise community awareness, and champion cyber resilience.

    Watch the Trailer Video

    Cybercrime Magazine is Page ONE for Cybersecurity. Go to any of our sections to read the latest:

    • SCAM. The latest schemes, frauds, and social engineering attacks being launched on consumers globally.
    • NEWS. Breaking coverage on cyberattacks and data breaches, and the most recent privacy and security stories.
    • HACK. Another organization gets hacked every day. We tell you who, what, where, when, and why.
    • VC. Cybersecurity venture capital deal flow with the latest investment activity from various sources around the world.
    • M&A. Cybersecurity mergers and acquisitions including big tech, pure cyber, product vendors and professional services.
    • BLOG. What’s happening at Cybercrime Magazine. Plus the stories that don’t make headlines (but maybe they should).
    • PRESS. Cybersecurity industry news and press releases in real time from the editors at Business Wire.
    • PODCAST. New episodes daily on the Cybercrime Magazine Podcast feature victims, law enforcement, vendors, and cybersecurity experts.
    • RADIO. Tune into WCYB Digital Radio at Cybercrime.Radio, the first and only round-the-clock internet radio station devoted to cybersecurity.

    Contact us to send story tips, feedback and suggestions, and for sponsorship opportunities and custom media productions.

    The post World Premiere Of “Midnight In The War Room” Documentary At Black Hat Vegas appeared first on Cybercrime Magazine.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶