Current and former Target employees have confirmed that source code and documentation shared online by a threat actor match the company's internal systems.
A current employee also disclosed internal communications detailing an "accelerated" security change. This change restricted access to Target's Enterprise Git server, implemented a day after BleepingComputer contacted the company regarding the alleged leak.
Authenticity of Leaked Materials Confirmed
BleepingComputer reported that hackers claimed to be selling Target's internal source code, publishing a sample of stolen repositories on Gitea. Multiple sources familiar with Target's internal CI/CD pipelines and infrastructure have corroborated the data's authenticity.
A former Target employee confirmed that internal system names in the sample, such as "BigRED" and "TAP [Provisioning]," correspond to real platforms used for cloud and on-premise application deployment and orchestration.
Both current and former employees confirmed that elements of the technology stack, including Hadoop datasets, referenced in the sample align with internal systems. This includes tooling built around a customized CI/CD platform based on Vela and the use of JFrog Artifactory.
Employees also referenced proprietary project codenames and taxonomy identifiers, such as "blossom IDs," present in the leaked dataset. The presence of these system references, employee names, project names, and matching URLs in the sample supports the material's reflection of a genuine internal development environment.
Accelerated Access Change Implemented
A current employee provided a screenshot of a company-wide Slack message from a senior product manager announcing a sudden security change. Effective January 9th, 2026, access to git.target.com (Target's on-prem GitHub Enterprise Server) now requires connection to a Target-managed network (on-site or via VPN). The message stated this change was accelerated and aligns with GitHub.com access protocols.
While Target hosts open-source code on GitHub.com, git.target.com is used for internal development and requires employee authentication. git.target.com was accessible over the web until recently but is now only reachable from Target's internal network or corporate VPN, indicating a lockdown of access to the proprietary source code environment.
Potential Root Cause
The method by which the data reached the threat actor has not been determined. Security researcher Alon Gal, CTO and co-founder of Hudson Rock, stated his team identified a Target employee workstation compromised by infostealer malware in late September 2025. This workstation had extensive access to internal services, including IAM, Confluence, wiki, and Jira credentials.
There is no confirmation linking this specific infection to the source code currently advertised for sale. However, threat actors sometimes exfiltrate data and monetize it months later. The threat actor claims the full dataset is approximately 860GB. BleepingComputer reviewed a 14MB sample, which employees state contains authentic internal code and system references.
Target has not responded to BleepingComputer's inquiries regarding the alleged leak or the potential for a breach or insider involvement.