Target Employees Verify Leaked Source Code Is Real

Multiple current and former Target employees have confirmed to our publication that source code and technical documentation recently posted online by a threat actor is authentic, matching the retail giant’s genuine internal systems. This verification follows our initial report that hackers are attempting to sell what they claim is Target’s proprietary source code. The confirmation from insiders significantly elevates the severity of the incident, moving it from a mere claim to a substantiated data exposure with potential security ramifications.

Several sources with direct knowledge of Target’s internal development and deployment infrastructure have corroborated the leaked data’s authenticity. A former employee identified specific internal system names within the leaked sample, such as “BigRED” and “TAP [Provisioning],” as real platforms the company uses for deploying and managing applications. Both current and former staff also confirmed that references to technology stacks, including Hadoop datasets, align with Target’s actual internal systems. The sample includes details about a customized CI/CD platform based on Vela, which Target has discussed publicly, and supply-chain infrastructure like JFrog Artifactory. Employees further identified proprietary project codenames and internal taxonomy identifiers, such as “blossom IDs,” present in the leaked files. The presence of these specific internal references, employee names, and matching URLs strongly indicates the material is a genuine snapshot of Target’s development environment, not fabricated or generic code.

In response to the situation, a current employee shared internal communications revealing an accelerated security change. A company-wide Slack message from a senior product manager announced that, effective January 9th, 2026, access to git.target.com, Target’s on-premise GitHub Enterprise Server, now requires a connection to a Target-managed network or corporate VPN. This change was implemented a day after our publication first contacted Target about the alleged leak. Previously, the git.target.com site was accessible over the web, prompting employees to log in. It is now inaccessible from the public internet, signaling a lockdown of the company’s proprietary source code repository. While Target hosts open-source code on GitHub.com, the git.target.com server is reserved for internal development, making this access restriction a critical containment measure.

The origin of the leak remains under investigation. However, a separate threat intelligence finding may provide a clue. Security researchers identified a Target employee workstation that was compromised by information-stealing malware in late September 2025. This infected system reportedly had extensive access to internal services, including Identity and Access Management (IAM), Confluence, wiki, and Jira. While there is no confirmed link between this infection and the source code now for sale, such malware is commonly used to steal credentials and data that threat actors may monetize months later. The actor advertising the data claims the full archive is roughly 860GB in size. Employees confirm that even the small, publicly available 14MB sample contains authentic code, raising serious concerns about what sensitive proprietary information might be contained within the much larger, full dataset.

Target has not responded to follow-up inquiries regarding whether it is investigating a potential data breach or insider involvement. The company’s public silence contrasts with the internal security changes being rapidly deployed and the growing evidence from its own employees that the leaked materials are real. The incident underscores the persistent risks posed by compromised employee endpoints and the value threat actors place on corporate source code, which can reveal security flaws and proprietary business logic.

(Source: Bleeping Computer)