Target Source Code Leak Confirmed by Employees, Git Server Locked Down
Published
Key Takeaways
- Leak Confirmed: Current and former Target employees have confirmed that samples of leaked source code and documentation match real internal systems and projects.
- Git Server Lockdown: Target accelerated a security change, restricting access to its on-premise GitHub Enterprise Server to require a VPN or on-site connection.
- Potential Root: Researchers identified a compromised employee workstation infected with infostealers in September, which had extensive access to internal services.
A recent Target source code leak has been validated by multiple current and former employees. They confirmed that a sample of data posted online by a threat actor contains authentic code and references to proprietary internal systems belonging to the seventh-largest retailer in the United States, which operates nearly 2,000 stores.Â
Employees Validate Target Leak
The confirmation raises serious questions about the scope of the incident, as the threat actor claims to sell an 860GB archive of stolen source code and developer documentation from the company’s private Git environment, and even published alleged samples.
According to individuals with direct knowledge of the internal CI/CD pipelines and infrastructure who contacted BleepingComputer, the leaked Target information includes project codenames like "BigRED" and "TAP [Provisioning]" and proprietary project codenames and taxonomy identifiers ("blossom IDs").
These project codenames correspond to real platforms used at the retail giant for application deployment and orchestration, and information that aligns includes Hadoop datasets, a customized CI/CD platform based on Vela, and supply-chain infrastructure such as JFrog Artifactory.
Target Implements Emergency Security Measures
Following the initial reports of a potential cybersecurity breach, Target took action to secure its development environment.Â
Reports say that, according to an internal company-wide message, access to the git.target.com server was abruptly restricted and now requires either an on-site or a corporate VPN connection to a Target-managed network.
Previously, the server was accessible from the public internet, protected only by an employee login prompt.
Target Data Leak Investigation and Potential Attack Vector
The root cause of the data exfiltration remains unconfirmed, but the data leak investigation is exploring multiple possibilities. One potential vector identified by Hudson Rock’s security researcher Alon Gal is an employee workstation compromised by infostealer malware in September 2025.Â
This machine reportedly had access to sensitive internal services, including Identity and Access Management (IAM), Confluence, and Jira. While a direct link has not been established, such an infection could have provided the initial foothold attackers needed to exfiltrate the source code.Â
Target has not yet commented on whether it is investigating a data breach or potential insider involvement.
Meanwhile, a report last week stated that dozens of global companies were breached via infostealer credentials, including in aviation, defense, and engineering.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular