Target Investigates Alleged Source Code Theft and Restricts Enterprise Git Access
Target is responding to claims that attackers stole and are attempting to sell internal source code and developer documentation after a threat actor posted what appeared to be sample repositories on the public Git platform Gitea. The actor advertised the leak as a preview of a much larger dataset “to go to auction,” with SALE.MD files listing tens of thousands of paths (over 57,000 lines) and an alleged archive size of roughly 860 GB; sample repository names included Secrets-docs, GiftCardRed-giftcardui, and TargetIDM-TAPProvisioingAPI. After media inquiries, the posted files were removed and Target’s internet-accessible developer Git endpoint (git.target.com) became inaccessible.
Multiple current and former Target employees told reporters that the leaked materials appear authentic, citing matches to internal system names and deployment tooling (e.g., references to platforms such as “BigRED” and “TAP [Provisioning]”, Hadoop datasets, and a customized CI/CD stack based on Vela). Employees also pointed to references consistent with Target’s supply-chain/development infrastructure (e.g., JFrog Artifactory) and internal project identifiers (including “blossom IDs”). Internal communications shared with reporters described an “accelerated” security change that further restricted access to Target’s Enterprise Git server shortly after the alleged leak surfaced.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Current and former employees say leaked code matches Target systems
Multiple current and former Target employees told BleepingComputer that the leaked source code and documentation appeared authentic and matched internal platform names, project identifiers, and components used in Target's environment. Their statements strengthened confidence that the sample came from real internal development systems.
Target removes exposed repositories and restricts Git server access
After BleepingComputer contacted Target and shared the Gitea links, the posted repositories were removed and began returning 404 errors. Target also rapidly locked down git.target.com, making its on-prem GitHub Enterprise Server inaccessible from the public internet and requiring a Target-managed network or VPN.
BleepingComputer reviews leaked sample and reports authenticity indicators
BleepingComputer examined a small sample of the posted data and found repository names, directory structures, internal system references, and commit metadata that appeared consistent with Target's private development environment rather than its public GitHub projects. The outlet said it could not independently verify the full dataset or confirm a breach.
Threat actor advertises alleged Target source code for sale
An unknown threat actor claimed to be selling Target Corporation internal source code and documentation, publishing sample repositories on a public Gitea instance. A SALE.MD index allegedly listed tens of thousands of files and described a larger archive of about 860 GB intended for auction.
Target employee workstation reportedly infected with infostealer malware
Hudson Rock CTO Alon Gal reported identifying a Target employee workstation compromised by infostealer malware in late September 2025. The machine allegedly had access to internal services including IAM, Confluence, Wiki, and Jira, though no direct link to the later source-code sale was confirmed.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Hackers claim to sell Target source code after alleged data leak | SC Media
scworld.com
Open sourceTarget employees confirm leaked code after ‘accelerated’ Git lockdown
bleepingcomputer.com
Open sourceTarget employees confirm leaked source code is authentic
bleepingcomputer.com
Open sourceTarget's dev server offline after hackers claim to steal source code
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Open-source malware and infostealer-driven compromise of developer environments
Threat activity in 2025 increasingly targeted **developer environments and software supply chains**, with Sonatype reporting more than **450,000** newly identified malicious open-source components and a heavy concentration in the **npm** ecosystem. Campaigns were characterized by automation and scale: attackers published large batches of similarly named packages, rapidly re-uploaded them after takedowns, and in some cases achieved lateral propagation through developer machines and linked projects, compromising downstream components within days. The reporting highlights a shift away from end-user targeting toward build tools, developer workstations, and CI/CD pipelines, and warns that smaller ecosystems should adopt mature controls (e.g., stronger access controls and **2FA**) before abuse scales. A separate incident illustrates the impact of developer-environment compromise: roughly **860GB of Target source code and internal developer documentation** reportedly appeared online, with employees confirming authenticity. Threat researchers assessed the intrusion likely began with an **infostealer infection** on an employee workstation in late 2025, enabling theft of credentials/session tokens and subsequent access to internal services (e.g., IAM, Confluence, Jira) and code repositories over several months before detection. After discovery, Target reportedly took its Git server offline and tightened VPN/access controls, with internal notes suggesting repository access controls may have been misconfigured—reinforcing the broader trend of attackers using compromised developer endpoints and weakly protected engineering infrastructure to exfiltrate sensitive code and pipeline details.
Mar 21, 2026
Trellix Investigates Unauthorized Access to Internal Source Code Repository
Trellix disclosed that attackers gained unauthorized access to part of its internal source code repository and said it immediately engaged external forensic experts and notified law enforcement. The cybersecurity vendor reported that its investigation had found **no evidence** that the release or distribution pipeline was compromised, that customer-facing products were tampered with, or that the accessed code had been exploited in the wild, but the inquiry remains ongoing. The incident is significant because Trellix is a major endpoint security and XDR provider formed from the merger of McAfee Enterprise and FireEye, with products used by governments and large enterprises. Public reporting said key details remain unclear, including the intruder's identity, the initial access vector, dwell time, which products or codebases were affected, and whether any additional data was exfiltrated; security observers warned that exposed source code can aid vulnerability discovery, reveal defensive logic, and create potential downstream supply-chain risk even without confirmed product compromise.
May 25, 2026
Checkmarx Confirms Dark Web Leak of Data Taken From Internal GitHub Repository
Checkmarx said data stolen during its March supply chain intrusion has been published on the dark web, with investigators tracing the exposure to a corporate GitHub repository accessed during the initial attack. The company said the affected repository was part of its developer environment, not its customer production environment, and that current evidence indicates customer data was not stored there and remains unaffected. The disclosure follows reports that **LAPSUS$** listed Checkmarx on its leak site and claimed to possess source code, an employee database, API keys, and `MongoDB` and `MySQL` credentials. Checkmarx said it has locked down access to the repository and is continuing forensic analysis to determine exactly what source code or internal documentation was exfiltrated, while warning that the incident is part of a broader supply chain attack chain that also involved tampered GitHub Actions workflows, Open VSX plugins, and other developer tooling tied to the earlier compromise.
May 12, 2026