Hackers are claiming to be in possession of internal source code belonging to Target Corporation, after publishing what appears to be a limited sample of private repositories on a public software development platform. The incident has drawn significant attention within the cybersecurity community due to the apparent scale of the alleged data exposure and the subsequent unavailability of Target’s internal Git infrastructure.
Alleged source code leak and underground sale claims
According to reporting by BleepingComputer, an unidentified threat actor recently created multiple repositories on Gitea, a self-hosted version control platform comparable to GitHub or GitLab. These repositories were presented as a preview of a much larger dataset that the attacker claims is being offered for sale via private channels or underground forums.
The threat actor reportedly promoted the leak by sharing screenshots in a closed hacking community, asserting that the published repositories represented only an initial subset of data “going to auction.” Each repository contained a file named SALE.MD, listing tens of thousands of files and directories allegedly included in the full archive. The index exceeded 57,000 lines and advertised a total compressed size of approximately 860 GB, suggesting a large-scale extraction consistent with enterprise development environments.
Repository structure and internal references
The repository names alone point to potentially sensitive internal systems and development workflows, including projects related to wallet services, identity management, gift card platforms, and internal documentation. Examples included references to wallet penetration testing collections, identity provisioning APIs, and documents labeled as containing secrets.
More notably from a cybersecurity standpoint, commit metadata and documentation within the repositories referenced internal Target development servers and named multiple current lead and senior engineers. The files also contained links to internal platforms and APIs, such as corporate Confluence instances, which are typically restricted to authenticated users within an organization’s secure network.
Target Git infrastructure taken offline
After BleepingComputer contacted Target to request comment and shared the Gitea repository links, the sample repositories were removed and began returning 404 errors, behavior consistent with a takedown request. Around the same time, Target’s internal developer Git server, hosted at git.target.com, became inaccessible from the public internet.
Prior to this change, the subdomain redirected external visitors to a login page that instructed employees to connect via the company’s secure network or VPN. Shortly thereafter, the site ceased loading externally altogether, suggesting a defensive response to potential exposure or increased scrutiny.
Security researchers also observed that search engines had previously indexed and cached a small number of resources from git.target.com. While this does not conclusively prove a breach or misconfiguration, it indicates that some content from the domain may have been accessible under certain conditions in the past. Importantly, the presence of cached pages alone does not establish a direct link between search engine indexing and the current claims of data theft.
Indicators suggesting an internal origin
At the time of reporting, the full 860 GB dataset had not been independently verified, and no definitive confirmation of a breach has been made public. However, several technical indicators raise concerns from an incident response perspective. The directory structures, naming conventions, and internal system references align with what would be expected from a large enterprise’s private Git environment rather than a public or open-source codebase.
Additionally, the material does not correspond to any known open-source repositories published by Target, implying that, if authentic, the data would have originated from private development infrastructure. The inclusion of current employee names in commit histories and documentation further strengthens the possibility that the source was internal rather than fabricated.
Context within Target’s security history
Target has not publicly confirmed the breach and did not provide additional comment following initial inquiries. If validated, this incident would represent a significant source code exposure, carrying risks such as intellectual property theft, supply chain attacks, and the discovery of latent vulnerabilities within proprietary systems.
Target’s most notable publicly disclosed cybersecurity incident remains the 2013 breach, during which attackers compromised point-of-sale systems and stole payment card data and personal information belonging to up to 110 million customers. That attack, later investigated by U.S. Senate and academic bodies, involved exfiltration of data to infrastructure located in Eastern Europe and fundamentally reshaped how large retailers approach network segmentation, monitoring, and third-party risk.
From a modern cybersecurity perspective, the current claims underscore the critical importance of securing source code repositories, enforcing strict access controls, continuously auditing Git infrastructure, and monitoring for data exfiltration indicators—particularly as attackers increasingly target development environments as high-value entry points into enterprise systems.