Attackers are claiming to be selling Target’s internal source code and developer documentation having published a sample of stolen repositories on Gitea, a public software development platform, BleepingComputer reports.
The listings reference roughly 57,000 files and directory names, with the threat actor claiming an overall dump size of approximately 860 GB being offered for sale. The repositories appear to stem from Target’s private development environment and reportedly reveal internal naming conventions, commit metadata containing engineer names, and references to internal systems.
After security researchers alerted Target to the exposed repositories, the sample files were removed and the company’s developer Git server (git.target.com) was taken offline, effectively pulling its development infrastructure from public access as part of the response. At the same time, Target initiated an “accelerated” lockdown of its Git environment, tightening controls so that access now requires a connection through the company’s VPN or managed network to reduce the risk of further unauthorized access.
Multiple current and former Target employees have since confirmed that the leaked source code samples align with genuine internal platforms, tools, and technology stacks used by the company, including references to CI/CD pipelines, Hadoop datasets, and proprietary service names.
Target has not publicly disclosed the full extent of the incident, nor confirmed whether the complete dataset was exfiltrated.
Giving Attackers a Roadmap
Michael Bell, Founder & CEO of Suzu Labs, says: “Source code exposure gives attackers a roadmap. They can study authentication flows, find hardcoded secrets, identify vulnerable dependencies, and understand internal architecture before launching follow-on attacks. The code becomes reconnaissance.”
According to him, the “accelerated” lockdown to require VPN access raises an obvious question… why wasn’t that already required? “Exposing internal Git servers to the public internet, even behind authentication, creates unnecessary attack surface. The fact that this change was accelerated after the breach suggests the access controls weren’t where they should have been.
“Employee confirmation of authenticity matters more than the threat actor’s claims. Anyone can claim to have breached a company. When current and former employees independently verify that internal system names, CI/CD tooling, and proprietary project references match real infrastructure, that’s substantive validation.”
Bell believes the infostealer angle is worth watching. “Hudson Rock identified a compromised Target employee workstation from September 2025 with access to IAM, Confluence, wiki, and Jira. No confirmation it’s connected, but infostealer logs are increasingly how initial access happens. Credentials get harvested, sit in underground markets, and show up months later when someone decides to monetize them.”
A Blueprint for Exploitation
John Carberry, Solution Sleuth, Xcape Inc, adds that this incident seriously damages the retailer’s technical security, potentially giving attackers a detailed understanding of their digital infrastructure. “The leak of 57,000 files, including CI/CD pipelines, Hadoop setups, and proprietary service names, offers a “blueprint for exploitation.” This enables future attackers to find hardcoded secrets or vulnerabilities in Target’s supply chain.”
He says the retailer’s quick response, including taking down its Git server, while necessary, shows a failure to protect its developers from credential theft or misconfiguration. “This breach is especially harmful because it reveals the names and details of internal engineers, creating a targeted list for spear-phishing or social engineering.”
Carberry adds that unlike a simple data breach, a source code leak is a persistent threat on the dark web, as researchers are now able to analyze Target’s core business logic for vulnerabilities offline. “Target spent over a decade rebuilding its reputation after the 2013 POS breach. This exposure of their internal code indicates the importance of network segmentation and identity-first security. When source code leaks, attackers stop probing and start hunting.”
Delivery Infrastructure is Part of the Attack Surface
Ryan McCurdy, VP of Marketing at Liquibase, adds: “This is a reminder that delivery infrastructure is now part of the attack surface. Locking Git behind a managed network or VPN is a practical containment step, but containment isn’t the same as trust. At enterprise scale, the real control point is before production: governance at the point of change with enforced access, separation of duties, automated policy gates, and audit-grade evidence from commit to deployment. And the database layer is where this matters most, because one ungoverned schema change can ripple across applications, analytics, and AI workloads. Runtime is response. Trust is built before production.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.