CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Target's internal source code allegedly stolen and offered for sale

First reported
Last updated
1 unique sources, 3 articles

Summary

Hide ▲

Hackers claim to have stolen and are selling internal source code from Target Corporation. They published sample repositories on Gitea and advertised a larger dataset for sale on an underground forum. Target's developer Git server, git.target.com, became inaccessible after the claims were made public. Multiple current and former Target employees have confirmed the authenticity of the leaked source code and documentation. Internal communications announced an 'accelerated' security change restricting access to Target's Enterprise Git server. The leaked data includes references to real internal systems and proprietary project codenames, raising concerns about the scope and sensitivity of the stolen data. Security researcher Alon Gal identified a Target employee workstation compromised by infostealer malware in late September 2025 with extensive access to internal services, potentially linked to the data leak.

Timeline

  1. 13.01.2026 15:08 2 articles · 23h ago

    Target employees confirm authenticity of leaked source code

    Multiple current and former Target employees confirmed the authenticity of the leaked source code and documentation. The leaked data includes references to real internal systems and proprietary project codenames, raising concerns about the scope and sensitivity of the stolen data. The presence of proprietary project codenames and taxonomy identifiers, such as those known internally as 'blossom IDs,' in the leaked dataset further supports the authenticity of the material.

    Show sources
    Open in new tab
  2. 13.01.2026 15:08 1 articles · 23h ago

    Target employee workstation compromised by infostealer malware

    Security researcher Alon Gal identified a Target employee workstation compromised by infostealer malware in late September 2025 with extensive access to internal services, potentially linked to the data leak. The workstation had access to IAM, Confluence, wiki, and Jira, which is unusual among infected Target employees.

    Show sources
    Open in new tab
  3. 12.01.2026 19:52 3 articles · 1d ago

    Target's developer Git server taken offline after hackers claim to steal source code

    After BleepingComputer contacted Target with questions about the alleged breach, the files were taken offline and the retailer's Git server, git.target.com, became inaccessible from the internet. The sample repositories on Gitea were removed and began returning 404 errors, consistent with a takedown request. Internal communications announced an 'accelerated' security change restricting access to Target's Enterprise Git server, rolled out a day after BleepingComputer first contacted the company about the alleged leak.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

TigerJack Campaign Targets Developers with Malicious VSCode Extensions

The TigerJack campaign continues to target developers with malicious Visual Studio Code (VSCode) extensions, which have now been found to leak access tokens posing a critical software supply chain risk. The campaign has distributed at least 11 malicious VSCode extensions since the beginning of the year, with two extensions, C++ Playground and HTTP Format, removed from VSCode but remaining on OpenVSX. These extensions steal cryptocurrency, plant backdoors, and exfiltrate source code. The threat actor republishes the same malicious code under new names, making detection and removal challenging. Developers are advised to be cautious when downloading extensions from these platforms. Over 100 VSCode extensions were found to leak access tokens, allowing attackers to distribute malicious updates. The leaked tokens include AI provider secrets, cloud service provider secrets, and database secrets. Microsoft has revoked the leaked PATs and is adding secret scanning capabilities to enhance security. Organizations are recommended to develop an extension inventory and consider a centralized allowlist for extensions. A new malicious extension named susvsex with basic ransomware capabilities was published on Microsoft's official VS Code marketplace. The extension was published by 'suspublisher18' and its malicious functionality was openly advertised in its description. The extension's malicious functionality includes file theft to a remote server and encryption of all files with AES-256-CBC. The extension activates on any event, including on installation or when launching VS Code, initializing the 'extension.js' file that contains its hardcoded variables (IP, encryption keys, command-and-control address). The extension calls a function named zipUploadAndEncrypt which checks the presence of a marker text file, and starts the encryption routine. The extension creates a .ZIP archive of the files in the defined target directory and exfiltrates them to the hardcoded C2 address. All the files are then replaced with their encrypted versions. The extension polls a private GitHub repository for commands, periodically checking an 'index.html' file that uses a PAT token for authentication, and tries to execute any commands there. The owner of the repository is likely based in Azerbaijan. The extension is an overt threat and may be the result of an experiment to test Microsoft's vetting process. Secure Annex labels susvsex an 'AI slop' with its malicious actions exposed in the README file, but notes that a few tweaks would make it far more dangerous. Microsoft ignored the report about the extension and did not remove it from the VS Code registry initially, but it was no longer available by the time the article was published. Two new malicious extensions, Bitcoin Black and Codo AI, were found on Microsoft's Visual Studio Code Marketplace. Bitcoin Black masquerades as a color theme and Codo AI as an AI assistant, both published under the developer name 'BigBlack'. Bitcoin Black features a '*' activation event that executes on every VSCode action and can run PowerShell code. Bitcoin Black uses a batch script to download a DLL file and an executable, with the activity occurring with the window hidden. Codo AI includes code assistance functionality via ChatGPT or DeepSeek but also has a malicious section. Both extensions deliver a legitimate executable of the Lightshot screenshot tool and a malicious DLL file that deploys the infostealer under the name runtime.exe. The malware creates a directory in '%APPDATA%\Local\' and stores stolen data including screenshots, WiFi credentials, system information, and cryptocurrency wallets. The malware steals cookies and hijacks user sessions by launching Chrome and Edge browsers in headless mode. The malware steals cryptocurrency wallets like Phantom, Metamask, Exodus, and looks for passwords and credentials. The malicious DLL is flagged as a threat by 29 out of the 72 antivirus engines on Virus Total. Microsoft has removed the extensions BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme from the Marketplace. The extensions activate on every VS Code action and embed malicious functionality within a working tool to bypass detection. Earlier versions of the extensions executed a PowerShell script to download a password-protected ZIP archive from an external server. Subsequent versions of the extensions used a batch script to download the executable and DLL, hiding the PowerShell window. The legitimate Lightshot binary is used to load the rogue DLL via DLL hijacking. The rogue DLL gathers clipboard contents, installed apps, running processes, desktop screenshots, Wi-Fi credentials, and detailed system information. The malware launches Google Chrome and Microsoft Edge in headless mode to grab stored cookies and hijack user sessions. A campaign involving 19 Visual Studio (VS) Code extensions that embed malware inside their dependency folders has been uncovered by cybersecurity researchers. Active since February 2025 but identified on December 2, the operation used a legitimate npm package to disguise harmful files and bundled malicious binaries inside an archive masquerading as a PNG image. This approach, observed by ReversingLabs (RL), enabled attackers to bypass conventional checks and target developers directly. Some extensions imitate popular tools, while others advertise new features but secretly execute unwanted code. In this new campaign, attackers embedded a modified version of the npm package path-is-absolute inside the extensions’ node_modules folders. The original package is widely used, with more than 9 billion downloads since 2021, but the altered version included a class designed to trigger malware when VS Code starts. The attackers also included a file named banner.png, which appeared harmless but opened as an archive containing two binaries. The dropper launched these files via cmstp.exe, a common living-off-the-land binary (LOLBIN). One executable closed the process by simulating a keypress, while the other was a Rust-based Trojan still being analyzed at the time of this report. Although the techniques differed, the goal remained the same: covertly execute malware through trusted components. Detecting malicious VS Code extensions has become increasingly urgent, ReversingLabs warned. The firm said detections grew from 27 in 2024 to 105 in the first 10 months of 2025. To reduce risk, teams are encouraged to inspect extensions before installation, audit all bundled dependencies, and use security tools capable of evaluating package behavior. All the mentioned extensions have been reported to Microsoft.

Open in new tab

Crimson Collective targets multiple organizations including Red Hat and Brightspeed for data theft and extortion

The Crimson Collective has been targeting various organizations, including Red Hat and Brightspeed, for data theft and extortion. The group claims to have breached Red Hat's private GitLab repositories, stealing nearly 570GB of data across 28,000 internal projects, including 800 Customer Engagement Reports (CERs) containing sensitive information about customer networks and platforms. The breach occurred approximately two weeks prior to the announcement. The hackers claim to have accessed downstream customer infrastructure using authentication tokens and other private information found in the stolen data. The affected organizations span various sectors, including finance, healthcare, government, and telecommunications. Red Hat has initiated remediation steps and stated that the security issue does not impact its other services or products. The hackers published a complete directory listing of the allegedly stolen GitLab repositories and a list of CERs from 2020 through 2025 on Telegram. The Centre for Cybersecurity Belgium (CCB) has issued an advisory stating there is a high risk to Belgian organizations that use Red Hat Consulting services. The CCB also warns of potential supply chain impact if service providers or IT partners worked with Red Hat Consulting. The CCB advises organizations to rotate all tokens, keys, and credentials shared with Red Hat or used in any Red Hat integrations, and to contact third-party IT providers to assess potential exposure. The ShinyHunters gang has now joined the extortion attempts against Red Hat, partnering with the Crimson Collective. ShinyHunters has released samples of stolen CERs on their data leak site and has set an October 10th deadline for Red Hat to negotiate a ransom demand to prevent the public leak of stolen data. The breach is part of a series of supply chain threats involving compromised code repositories. In May 2024, threat actors exploited a critical vulnerability (CVE-2023-7028) to take over GitLab accounts. GitLab disclosed and patched two similar vulnerabilities (CVE-2024-5655 and CVE-2024-6385) that jeopardized customers' CI/CD pipelines. Nissan Motor Co. Ltd. has confirmed that information of approximately 21,000 customers has been compromised due to the Red Hat breach. The leaked data includes full names, physical addresses, phone numbers, email addresses, and customer data used in sales operations. Financial information such as credit card details was not exposed in the breach. Nissan noted that the compromised Red Hat environment does not store any other data beyond what was confirmed as impacted. Nissan has no evidence that the leaked information has been misused. This is the second cybersecurity incident for Nissan Japan this year, following a Qilin ransomware attack in late August that hit its design subsidiary Creative Box Inc. (CBI). The Crimson Collective has also claimed responsibility for a breach at Brightspeed, an ISP operating across 20 US states. The group claims to have obtained PII on over one million customers and disrupted their connectivity. The PII includes account master records, address coordinates, payment history, payment methods, and appointment/order records. The group posted samples of the data on Telegram and claimed to have disconnected users' home internet. Jacob Krell from Suzu Labs commented on the broader implications of such breaches, noting their societal and national security impact.

Open in new tab

GitHub notifications exploited to impersonate Y Combinator in crypto theft campaign

A phishing campaign impersonated Y Combinator to target GitHub users with cryptocurrency drainers. The attackers exploited GitHub's notification system to send fraudulent invitations to the YC W2026 program. The campaign aimed to steal cryptocurrency by prompting users to verify their wallets on a fake site. The attackers created issues across multiple repositories and tagged targeted users, leveraging GitHub's automatic notifications. The fake invitations promised $15 million in funding, directing users to a misspelled domain that mimicked the legitimate YC site. The fraudulent site ran obfuscated JavaScript to authorize malicious transactions, draining users' crypto assets. The campaign was reported to GitHub, IC3, and Google Safe Browsing, leading to the removal of the fraudulent repositories.

Open in new tab

GhostAction GitHub supply chain attack steals 3,325 secrets

The GhostAction supply chain attack compromised 3,325 secrets from GitHub repositories. The attack, discovered by GitGuardian on September 2, 2025, involved malicious commits to GitHub Actions workflows that exfiltrated secrets to an external domain. The first signs of compromise were detected in the FastUUID project. The attack affected at least 817 repositories and targeted multiple package ecosystems, including PyPI, npm, DockerHub, and AWS keys. The exfiltration endpoint was taken down shortly after the campaign's discovery. The compromised secrets included PyPI tokens, npm tokens, DockerHub tokens, GitHub tokens, Cloudflare API tokens, AWS access keys, and database credentials. The attack impacted at least nine npm and 15 PyPI packages, potentially allowing for the release of malicious or trojanized versions. The Python Software Foundation invalidated all PyPI tokens stolen in the attack, confirming that the threat actors did not abuse them to publish malware. GitGuardian notified the security teams of GitHub, npm, and PyPI and opened issues in 573 impacted repositories. A hundred repositories had already detected and reverted the malicious changes before the full scope of the campaign was uncovered. GitGuardian notified PyPI on September 5, 2025, but the email ended up in the spam folder, delaying the response until September 10, 2025. PyPI advised maintainers to replace long-lived tokens with short-lived Trusted Publishers tokens and review their security history for any suspicious activity.

Open in new tab

Supply Chain Attack on Drift via OAuth Token Theft

A supply chain attack targeted the Drift chatbot, a marketing software-as-a-service product, resulting in the mass theft of OAuth tokens from multiple companies. Salesloft, the parent company, took Drift offline on September 5, 2025, to review and enhance security. Affected companies include Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, and Zscaler. The threat actor, tracked as UNC6395 and GRUB1, exploited OAuth tokens to access Salesforce data. The attack underscores the risks associated with third-party integrations and the importance of robust security measures in enterprise defenses.

Open in new tab