Threat Actor Teases Source Code for Sale After Hack of Target Systems
Hackers reportedly are offering to sell internal source code and other developer data stolen from giant U.S. retailer Target after showing a sample of what was taken and promising that more was to come.
A threat actor last week created several repositories on Gitea, an open-source, self-hosted Git service, claiming that the dataset added up to about 860 GB of data. The repositories contained such information as source code, configuration files, and developer documentation, with file folders and names appearing to show digital wallets, store networking tools, gift card platforms, and identity services.
Each of the repositories posted by the hacker is a SALE.MD file that listed tens of thousands of files and directories that were said be included in the large amount of data taken. The repositories were shown for a limited time to prove the authenticity of the data and then were taken down.
Target executives have not responded to the data theft first reported by BleepingComputer, though several current and former employees of the retailer told the news site that the source code and documentation published by the hackers were authentic.
That’s an important development, according to Michael Bell, founder and CEO of cybersecurity and AI company Suzu Labs.
“Employee confirmation of authenticity matters more than the threat actor’s claims,” Bell said. “Anyone can claim to have breached a company. When current and former employees independently verify that internal system names, CI/CD tooling, and proprietary project references match real infrastructure, that’s substantive validation.”
Widespread Harm
The harm to Target could be widespread, said John Carberry, solution sleuth at cybersecurity firm Xcape.
“The reported theft of 860 GB of Target’s internal source code and developer documentation seriously damages the retailer’s technical security, potentially giving attackers a detailed understanding of their digital infrastructure,” Carberry said. “The leak of 57,000 files, including CI/CD pipelines, Hadoop setups, and proprietary service names, offers a blueprint for exploitation. This enables future attackers to find hardcoded secrets or vulnerabilities in Target’s supply chain.”
He added that “unlike a simple data breach, a source code leak is a persistent threat on the dark web, as researchers can now analyze Target’s core business logic for vulnerabilities offline.”
Locking Down Access
Soon after being contacted by BleepingComputer about the reported data breach, Target executives locked down the company’s internal Git server, which had been accessible from the internet.
“The accelerated lockdown to require VPN access raises an obvious question: Why wasn’t that already required?” Suzu Labs’ Bell asked. “Exposing internal Git servers to the public internet, even behind authentication, creates unnecessary attack surface. The fact that this change was accelerated after the breach suggests the access controls weren’t where they should have been.
Xcape’s Carberry said the exposed data puts some of Target’s employees at risk.
“Target’s quick response, including taking down its Git server, while necessary, shows a failure to protect its developers from credential theft or misconfiguration,” he said. “This breach is especially harmful because it reveals the names and details of internal engineers, creating a targeted list for spear-phishing or social engineering.”
Response Isn’t Trust
Ryan McCurdy, vice president of marketing at database change management company Liquibase, said the Target hack should serve as a reminder that “delivery infrastructure is now part of the attack surface.”
“Locking Git behind a managed network or VPN is a practical containment step, but containment isn’t the same as trust,” McCurdy said. “At enterprise scale, the real control point is before production: Governance at the point of change with enforced access, separation of duties, automated policy gates, and audit-grade evidence from commit to deployment. … Runtime is response. Trust is built before production.”
