Target employees have confirmed that the internal source code leaked and shared via an open source platform is authentic, raising concerns over enterprise Git security and endpoint compromise risks.
Multiple current and former Target employees have confirmed that internal source code and documentation recently leaked online and shared via an open source platform are authentic and correspond to real systems used by the retailer.
The verification follows claims by threat actors that they are selling Target’s internal source code after publishing a 14MB sample of stolen repositories on Gitea, a public, open source code-hosting platform. Employees with direct knowledge of Target’s CI/CD pipelines and infrastructure confirmed that the materials match genuine internal environments.
Former employees confirmed that internal system names visible in the leaked sample, including ‘BigRED’ and ‘TAP [Provisioning]’, are legitimate platforms used for cloud and on-premise application deployment and orchestration. Both current and former staff also verified that Hadoop datasets referenced in the repositories align with Target’s internal technology stack.
The leaked materials further reference a customised CI/CD platform based on Vela, previously discussed publicly by Target, alongside supply-chain tooling such as JFrog Artifactory. Employees also independently identified proprietary project codenames and internal taxonomy identifiers, including “blossom IDs”, within the dataset.
The presence of internal system references, employee names, project identifiers, and matching URLs strongly suggests the repositories reflect a real internal development environment rather than fabricated code.
In response, Target accelerated restrictions on access to its on-prem GitHub Enterprise Server. A senior product manager announced that, effective January 9th, 2026, access to git.target.com now requires a Target-managed network connection.
Security researcher Alon Gal, CTO and co-founder of Hudson Rock, said his team identified a Target employee workstation compromised by infostealer malware in late September 2025, with access to IAM, Confluence, wiki, and Jira systems. However, no confirmed link has been established between that infection and the leaked code.
Target has not commented on whether it is investigating a breach or potential insider involvement.
