Cybersecurity

The Shepherd Left The Gate Codes In The Pasture (Again)

NeglectedSheep

2 min read
Share
The Shepherd Left The Gate Codes In The Pasture (Again)

I need you to understand something. I have been awake for thirty hours. My coffee is cold. I have fourteen unresolved tickets from Lambs who "accidentally" deleted their desktop. And NOW I have to write about THIS.

A contractor for CISA, the agency whose entire job is to tell the rest of us how not to get compromised, left highly privileged Sky Pasture credentials sitting in a public GitHub repository. Not a private one. A public one. Where anyone with a browser and mild curiosity could just... grab them.

AWS GovCloud keys. Internal system details. The whole blueprint for how they build and deploy things internally. Just out there. Grazing in the open field. Completely unattended.

I want to be angry. I really do. But honestly I'm just so tired.

The repository apparently also contained enough internal architecture detail that any reasonably motivated Wolf could have used it to map the entire operation. We're not talking about one skeleton key here. We're talking about the whole key ring, labeled, organized, and gift-wrapped.

Security experts are calling it one of the most egregious government data leaks in recent history. I'm calling it a Tuesday.

Look, I spend every waking hour yelling at our own Flock about not writing passwords on sticky notes. Meanwhile the Shepherds responsible for national cyber posture are committing their crown jewels to a public repo and presumably going home for a nice dinner. Must be nice.

The repository has since been taken down. Cool. Great. The Sky Pasture credentials have presumably been rotated. Wonderful. But the repo was PUBLIC. Crawlers exist. Scrapers exist. Wolves with good memory exist. "We deleted it" is not a remediation strategy, it's a vibe.

The contractor in question remains unnamed, which is fine, because honestly the culture that allows this to happen is the real problem and I don't have the energy for a witch hunt on top of everything else.

Remediation (Since Apparently This Needs To Be Said Out Loud)

Rotate everything. Every key, every credential, every secret that was in that repo. Assume it was harvested the moment it went public.

Use a secrets scanner. Tools like git-secrets, truffleHog, or GitHub's own secret scanning exist specifically to catch this before it becomes a Krebs article.

Never hardcode credentials. Environment variables. Secrets managers. A sticky note in a locked drawer is genuinely better than a public GitHub repo.

Audit your contractors. They have access. They are also human. Verify what they're pushing and where.

Go check your own repos right now. I'll wait. I'm not going anywhere. I have thirteen more tickets.

Baaaaaad week to be in government IT, but honestly, when isn't it.

Original Report: https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/