Hackers are reportedly attempting to sell internal source code belonging to Target Corporation, after publishing what appears to be a sample of stolen code repositories on a public software development platform.
An unknown threat actor created multiple repositories on Gitea, a self-hosted Git service, purportedly containing portions of Target's internal code and developer documentation.
These repositories were presented as a preview of a larger dataset allegedly offered for sale on underground forums and included names like “wallet-services-wallet-pentest-collections” and “Secrets-docs.”
According to Bleeping Computer, the first outlet to exclusively report the alleged Target source code theft, each repository contained a file named SALE.MD listing all files and directories purportedly included in the full dataset.
The listing was more than 57,000 lines long and advertised a total archive size of approximately 860GB.
Commit metadata and documentation within the repositories referenced internal Target development servers and named current Target engineers.
Moreover, after Target, a major US general merchandise retailer, was contacted over the alleged breach, the company seems to have accelerated a security change that restricted access to its Enterprise Git Server.
Curious what others think about this story? Contribute your thoughts to the debate below.
Neither Target nor the threat actors have provided any additional information about the initial entry. It’s not clear how the data ended up in the hands of the threat actor.
But it certainly looks like a big breach for now, especially since multiple current and former Target employees have confirmed to Bleeping Computer that the source code and documentation shared online match real internal systems.
According to the outlet, the sources have direct knowledge of Target’s internal CI/CD pipelines and infrastructure. They say the leaked data – system references, employee names, project titles, and matching URLs – seems authentic.
One employee also shared a screenshot of a company-wide Slack message in which a senior product manager announced a sudden security change.
“Effective January 9th, 2026, access to git.target.com (Target’s on-prem GitHub Enterprise Server) now requires connection to a Target-managed network (either on-site or via VPN). This change was accelerated and aligns with how we're handling access to GitHub.com,” the manager wrote.
Cybersecurity researcher Alon Gal, co-founder of Hudson Rock, soon said that his team had identified a Target employee workstation that was compromised by infostealer malware in late September 2025 and had extensive access to internal services.
It cannot be confirmed that this particular infection has anything to do with the source code now allegedly being for sale. It is common practice for hackers to pilfer data and only try to monetize it months later, however.
Unlock exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked