Home Depot Internal Systems Exposed via Leaked GitHub Token
A security researcher discovered that a Home Depot employee had inadvertently published a private GitHub access token online, which remained exposed for approximately a year. The token granted access to hundreds of private source code repositories, as well as critical internal systems such as order fulfillment, inventory management, and code development pipelines. The researcher attempted to alert Home Depot multiple times but received no response until the issue was escalated through media contact, after which the exposure was remediated.
The exposed credential provided not only read but also write permissions to sensitive repositories and cloud infrastructure, significantly increasing the risk of unauthorized modifications or data breaches. Home Depot has since removed the leaked token from public view, but the incident highlights the dangers of credential leakage and the importance of timely response to security disclosures. The company has hosted much of its developer infrastructure on GitHub since 2015, making such exposures particularly impactful.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Home Depot removes exposed credential after media inquiry
Home Depot removed the credential from public view only after TechCrunch contacted the company for comment. This action ended the public exposure described by the researcher.
Zimmermann makes multiple disclosure attempts to Home Depot
After identifying the exposed token, Zimmermann reportedly tried several times to notify Home Depot about the issue. According to the reports, the company did not respond to those outreach attempts.
Researcher Ben Zimmermann discovers the exposed Home Depot token
Security researcher Ben Zimmermann found the leaked credential and determined that it could be used to access private GitHub repositories and parts of Home Depot's cloud infrastructure. His findings established the scope and duration of the exposure.
Exposed credential leaves Home Depot internal systems accessible for about a year
For roughly a year after the token was published, the exposed credential reportedly allowed access to internal Home Depot resources, including systems tied to order fulfillment and inventory management. The exposure persisted without remediation during that period.
Home Depot employee token is accidentally published on GitHub
A private GitHub access token belonging to a Home Depot employee was accidentally exposed in a public GitHub repository in early 2024. The credential reportedly granted write access to private Home Depot repositories and access to cloud-connected internal systems.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mass Exposure of Live Credentials in Public Docker Hub Images
Security researchers at Flare have discovered that over 10,000 public Docker Hub container images are leaking sensitive secrets, including live credentials for production systems, cloud services, CI/CD pipelines, and AI platforms. The exposed data affects more than 100 organizations, ranging from small businesses to a Fortune 500 company and a major national bank. Many of these secrets are not placeholders but active credentials, with nearly 4,000 API keys for large language models such as OpenAI, HuggingFace, Anthropic, Gemini, and Groq found in the wild. In some cases, a single image contained five or more exposed secrets, significantly increasing the risk of unauthorized access to critical infrastructure. The leaks are often the result of developers inadvertently including sensitive files and hard-coded keys in Docker images, which are then published to public repositories. A notable portion of the exposed secrets comes from "shadow IT" accounts—personal or team Docker Hub registries outside formal corporate oversight—making them difficult for organizations to monitor and secure. The majority of affected organizations are in the software development sector, but the exposure also impacts finance, banking, and AI companies. This incident highlights the urgent need for improved security hygiene and automated scanning in the container development lifecycle to prevent inadvertent credential leaks.
Mar 21, 2026
CISA Contractor GitHub Repository Exposed AWS GovCloud Keys and Internal Credentials
A public GitHub repository tied to a contractor supporting the U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) exposed plaintext passwords, access tokens, cloud keys, logs, spreadsheets, and deployment files that could provide access to CISA and Department of Homeland Security internal and cloud systems. Researchers from GitGuardian and Seralys reported that the repository, named **"Private-CISA"**, contained administrative credentials for three AWS GovCloud accounts as well as numerous credentials for internal CISA systems; some of the exposed secrets were verified as valid. The repository was reportedly linked to a Nightwing employee and appears to have been used as an informal working scratchpad rather than a controlled code repository, with commit history indicating GitHub secret-scanning protections had been disabled. After alerts to the contractor reportedly went unanswered, the issue was escalated and the GitHub account was taken offline, but exposed AWS keys were said to remain valid for roughly 48 hours after disclosure. CISA said it is investigating and that it had no indication the credentials were abused, though the incident represents a significant security lapse at the federal agency responsible for civilian cybersecurity.
Jun 1, 2026
Target Investigates Alleged Source Code Theft and Restricts Enterprise Git Access
Target is responding to claims that attackers stole and are attempting to sell **internal source code and developer documentation** after a threat actor posted what appeared to be sample repositories on the public Git platform *Gitea*. The actor advertised the leak as a preview of a much larger dataset “to go to auction,” with `SALE.MD` files listing tens of thousands of paths (over 57,000 lines) and an alleged archive size of roughly **860 GB**; sample repository names included `Secrets-docs`, `GiftCardRed-giftcardui`, and `TargetIDM-TAPProvisioingAPI`. After media inquiries, the posted files were removed and Target’s internet-accessible developer Git endpoint (`git.target.com`) became inaccessible. Multiple current and former Target employees told reporters that the leaked materials appear authentic, citing matches to internal system names and deployment tooling (e.g., references to platforms such as **“BigRED”** and **“TAP [Provisioning]”**, Hadoop datasets, and a customized CI/CD stack based on *Vela*). Employees also pointed to references consistent with Target’s supply-chain/development infrastructure (e.g., *JFrog Artifactory*) and internal project identifiers (including “blossom IDs”). Internal communications shared with reporters described an “**accelerated**” security change that further restricted access to Target’s Enterprise Git server shortly after the alleged leak surfaced.
Mar 21, 2026