Cyber Incident Victim: Target

On January 13 2026 BleepingComputer published a report that a threat actor was offering Target’s internal source code for sale after posting a sample of five partial repositories on the public Gitea platform. The sample totaled approximately 14 megabytes and contained code fragments, documentation, and references to internal systems. Multiple current and former Target employees contacted the outlet to verify that the material matched real internal environments, citing the presence of system names such as “BigRED” and “TAP [Provisioning]” that correspond to Target’s cloud and on‑premise application deployment and orchestration platforms. Employees also confirmed that the technology stack referenced in the leak—including Hadoop data sets, a customized CI/CD platform based on Vela, and the use of JFrog Artifactory—aligns with tools actually used inside the company. In addition, proprietary project codenames and internal taxonomy identifiers known as “blossom IDs” appeared in the sample, further supporting the claim that the leaked data originated from a genuine Target development repository rather than fabricated code. The threat actor asserted that the complete data set amounted to roughly 860 gigabytes, although only the small sample had been examined at the time of the report.

A security researcher from Hudson Rock, Alon Gal, disclosed that his team had identified a Target employee workstation compromised by infostealer malware in late September 2025. The infected machine reportedly had extensive access to internal services including IAM, Confluence, the corporate wiki, and Jira. The researcher noted that, among the many infected Target employee systems observed, very few possessed IAM credentials and wiki access, making this particular case notable. However, no direct link was established between this specific compromise and the subsequent source‑code leak, and the researcher emphasized that threat actors often exfiltrate data months before attempting to monetize or publish it. In response to the allegations, a current Target employee shared an internal Slack message from a senior product manager announcing an accelerated security change. Effective January 9 2026, access to the on‑premises GitHub Enterprise Server at git.target.com now requires a connection to a Target‑managed network, either on‑site or via VPN, a measure implemented one day after BleepingComputer first contacted the company about the alleged leak.

Employees expressed concern that even the limited 14 megabyte sample contained authentic internal code and system references, raising questions about the sensitivity and potential impact of the much larger archive claimed by the threat actor. The verification of the leak’s authenticity prompted internal discussions about the scope of exposed assets, though no public disclosure of specific data loss, service disruption, or financial consequence has been made available in the reported material. The incident remains under investigation, with the exact method of data exfiltration still undetermined.