See Full Article: https://securityboulevard.com/2026/01/threat-actor-teases-source-code-for-sale-after-hack-of-target-systems/
Hackers reportedly are offering to sell internal source code and other developer data stolen from giant U.S. retailer Target after showing a sample of what was taken and promising that more was to come.
A threat actor last week created several repositories on Gitea, an open-source, self-hosted Git service, claiming that the dataset added up to about 860 GB of data. The repositories contained such information as source code, configuration files, and developer documentation, with file folders and names appearing to show digital wallets, store networking tools, gift card platforms, and identity services.
Each of the repositories posted by the hacker is a SALE.MD file that listed tens of thousands of files and directories that were said be included in the large amount of data taken. The repositories were shown for a limited time to prove the authenticity of the data and then were taken down.
Target executives have not responded to the data theft first reported by BleepingComputer, though several current and former employees of the retailer told the news site that the source code and documentation published by the hackers were authentic.
That’s an important development, according to Michael Bell, founder and CEO of cybersecurity and AI company Suzu Labs.
“Employee confirmation of authenticity matters more than the threat actor’s claims,” Bell said. “Anyone can claim to have breached a company. When current and former employees independently verify that internal system names, CI/CD tooling, and proprietary project references match real infrastructure, that’s substantive validation.”
Locking Down Access
Soon after being contacted by BleepingComputer about the reported data breach, Target executives locked down the company’s internal Git server, which had been accessible from the internet.
“The accelerated lockdown to require VPN access raises an obvious question: Why wasn’t that already required?” Suzu Labs’ Bell asked. “Exposing internal Git servers to the public internet, even behind authentication, creates unnecessary attack surface. The fact that this change was accelerated after the breach suggests the access controls weren’t where they should have been.
