CISA's Contractor Left AWS Keys on GitHub
Two Buckets, One Pattern
On Thursday, KrebsOnSecurity reported that a contractor working for CISA (the Cybersecurity and Infrastructure Security Agency, the US body that issues Known Exploited Vulnerability orders and sets remediation timelines for federal civilian agencies) left AWS GovCloud access keys on a public GitHub repository. The keys were live.
CISA's Binding Operational Directive 22-01 requires federal civilian agencies to remediate actively exploited vulnerabilities within 14 days. Automated secrets scanning in the CI/CD pipeline, the control that catches credentials before they reach a public repository, has been production-grade since at least 2019. The gap between the timeline CISA mandates for other federal agencies and the practice CISA's contractor applied to its own repository is one git commit.
The same week, BleepingComputer reported that Grafana's source code was exfiltrated via a compromised GitHub personal access token. Grafana dashboards sit inside SOC environments and financial-sector monitoring stacks across the region. The Grafana statement called this a security incident. What the artifacts represent is a test corpus: anyone holding the repository can now profile their tooling against Grafana's detection internals before deploying against a target running it. A financial institution that runs Grafana for SOC monitoring does not know what an attacker with the source code has already mapped. The statement did not use that framing.
The same failure. GitHub's push protection for public repositories has been free since 2022. The CISA contractor's repository was public when KrebsOnSecurity reported it.
Microsoft Has No Fix
Dark Reading on Monday reported an actively exploited Microsoft Exchange zero-day with no available patch. The Hacker News reported the same week a vulnerability granting SYSTEM-level access on fully patched Windows machines. SYSTEM privileges mean an attacker with any foothold can extract credentials, move laterally, and pre-position ransomware before a defender's telemetry fires. That is a notification, not a mitigation.
When I was at Mandiant, the working assumption for a high-severity disclosed CVE was roughly 72 hours before commodity exploitation reached the network. The AI platform flaw weaponized within four hours of public disclosure this week is the current data point on how far that window has moved. Four hours is one business morning. A defender relying on patch deployment as a primary control against unpatched zero-days is working from an assumption roughly 18 times more generous than what the week showed.
The HKMA and HKUST announced a partnership on applied cybersecurity research this week, the same week that calls for mandatory data breach reporting in Hong Kong were renewed. The EU's GDPR requires notification within 72 hours of a discovered breach. Hong Kong law sets no such clock. KrebsOnSecurity published the CISA credential exposure on Thursday. Hong Kong has no mandatory reporting clock; the HKMA partnership does not create one.
India's IRDAI required insurers to certify hardening against AI-enabled attacks by May 22—this Friday. IRDAI has published no assessment methodology specifying what a hardened network means in terms a tester can apply. An insurer certifies by Friday morning. An attacker scanning that same network Friday afternoon encounters the architecture as it stood before the certification. IRDAI has not published the testing standard. The submission window closes Friday regardless.