Hackers Sell Alleged Target Source Code on Dark Web, Employees Verify Authenticity

An unidentified threat actor has reportedly posted target corporation’s internal source code for sale on the dark web. This information hit the web as the hacker released a list of stolen repositories on the platform of a public software development entity.

Threat Actor Advertise Target Internal Source Code for Sale

The internal source code of Target Corporation, a top American merchandise retailer, has purportedly hit the dark web for sale. The recent development unfolded as an unknown threat actor generated some repositories on Gitea, which allegedly contain Target’s source code and developer documentation.

Gitea is a public software development platform and self-hosted Git service, similar to GitLab or GitHub. The bad actor has presented the repositories as a sample of a bulk dataset exclusively offered for sale on an underground private platform.

This tactic of leaking samples to advertise a larger, paid dataset on the dark web mirrors recent incidents against major corporations, such as the leak of core blueprints from a leading steel manufacturer.

Hackers indicated that the preview repositories are the first set of data to be auctioned. Each repository included a file labeled SALE.MD, comprising tens of thousands of files and directories within the dataset.

Additionally, the advertised listing amounted to almost 860 GB of exfiltrated dataset, arranged in over 57,000 lines. Also, the commit metadata and documentation highlighted some names of internal Target development servers and many current Target lead and senior engineers.

The Gitea sample of the listed repositories contained the following:

• TargetIDM-TAPProvisioningAPI
• Wallet-services-wallet-pentest-collections
• Secrets-docs
• Store-Labs-wan-downer
• GiftCardRed-giftcardui

Target Employees Confirm the Authenticity of Stolen Internal Source Code

According to Bleeping Computer, some current and former employees of Target confirmed the authenticity of the exposed Target internal source code. The report noted that the employees acknowledged that shared source code and developer documentation correspond to real Target’s internal systems.

Further, a former Target employee mentioned that some of the system names, such as “BigRED” and “TAP(Provisioning)” that appeared on the exposed sample, match real Target platforms for cloud and on-premise app deployment and orchestration.

Additionally, some employees pointed out that parts of the tech stack presented in the leaked sample, such as Hadoop datasets, correspond to the company’s internal systems.

The elements include developed tools on a customized CI/CD platform created on Vela, which Target has cited publicly in the past, and JFrog Artifactory, a supply-chain infrastructure that the company uses.

Also, other referenced project names, employee names, and URLs in the leaked sample were confirmed to be real and associated with the Target internal environment.

Target Implements Immediate Access Changes 

The top American merchandise retailer, Target, has implemented immediate security changes following the reported theft of source code. An employee who wishes to remain anonymous shared a screenshot of the company-wide Slack message, in which a senior product manager presented the security changes.

According to the display, access to Target’s GitHub Enterprise Server, git-target.com, now demands a connection to a Target-operated network, whether on-site or through a VPN. The senior staff noted that the change was effective from January 9, 2026, and conforms with how the firm will be handling access to GitHub.com.

Notably, Target Enterprise Git servers host both public open-source projects and private repositories, which are only accessible to authenticated staff. While GitHub.com hosts open-source code at Target, the company’s git.target.com is solely dedicated to internal development and access requires employee authentication.

The company has implemented access lockdown to its proprietary source code ecosystem, which before now, was accessible from a public internet. This incident underscores the persistent double threat from dark web markets: the direct sale of stolen corporate data, and the supply of weapons-like hacking tools that enable a wider range of actors to launch attacks.