Hackers claim to be selling Target's internal source code

Support independent media - upgrade your Metacurity subscription today.

Metacurity is one of the few independent media outlets delivering a daily round-up of the critical infosec developments you should know. For years, we have worked to scan thousands of sources to deliver you summarized and aggregated news to help you keep your organizations secure.

We value all of our readers, but the paid subscribers help us keep plugging away at our mission of ending infosec news overload. Please, please help keep Metacurity alive with a paid subscription. Thank you!

If you can't afford a paid subscription right now, please consider donating whatever you can. Thanks.

Hackers are claiming to be selling internal source code belonging to Target Corporation, after publishing what appears to be a sample of stolen code repositories on a public software development platform, with multiple Target employees confirming the authenticity of leaked source code sample set and sharing internal announcements regarding an access change rollout.

Last week, an unknown threat actor created multiple repositories on Gitea that appeared to contain portions of Target's internal code and developer documentation. The repositories were presented as a preview of a much larger dataset allegedly being offered for sale to buyers on an underground forum or private channel.

After BleepingComputer contacted Target with questions about the alleged breach, the files were taken offline, and the retailer's Git server, git.target.com, became inaccessible from the internet.

A threat actor was posting screenshots in a private hacking community to support claims that they had gained access to Target's internal development environment.

The same actor had also published several repositories on Gitea, a self-hosted Git service similar to GitHub or GitLab, as a sample of the data the actor claimed was being offered for sale.

According to a source, hackers claimed that "this is [the first set of] data to go to auction."

Each repository contained a file named SALE.MD listing tens of thousands of files and directories purportedly included in the full dataset. The listing was more than 57,000 lines long and advertised a total archive size of approximately 860 GB.

BleepingComputer shared the Gitea links with Target on Thursday and requested comment on the alleged breach. By Friday and Saturday, all of the repositories had been removed and began returning 404 errors, consistent with a takedown request.

Around the same time, Target's developer Git server at git.target.com also became inaccessible from the internet.

While BleepingComputer has not independently verified the full 860 GB dataset or confirmed that a breach occurred, the directory structure, repository naming, and internal system references in the SALE.MD index are consistent with a large enterprise Git environment. (Ax Sharma / Bleeping Computer)

Milosz Motyka, Poland's energy minister, said that Poland's power system faced its largest cyberattack in years in the last week of December.

The failed attack aimed to disrupt the communication between renewable installations and the power distribution operators, Motyka said, adding in the past large power units or transmission networks have been targeted.

"The command of the cyberspace forces has diagnosed in the last days of the year the strongest attack on the energy infrastructure in years," Motyka said. Poland's critical infrastructure has been subject to a growing number of cyberattacks by Russia since the war in Ukraine began in February 2022.

Russia's military intelligence trebled its resources for such action against Poland last year, the country's digital affairs minister said. (Marek Strzelecki / Reuters)

Spanish energy provider Endesa and its Energía XXI operator are notifying customers that hackers accessed the company's systems and accessed contract-related information, which includes personal details.

Endesa is the largest electric utility company in Spain, now owned by Enel Group, that distributes gas and electricity to more than 10 million customers in Spain and Portugal. In total, the company says it has about 22 million clients.

The energy company notified its Energía XXI affected customers affected by the breach and also disclosed the security incident publicly, saying that it detected unauthorized access to its commercial platform.

"Despite the security measures implemented by this company, we have detected evidence of unauthorized and illegitimate access to certain personal data of our customers related to their energy contracts, including yours," the company says.

Last week, threat actors published what they claim to be samples of data stolen from Endesa, allegedly 20 million records. The data is offered for sale to a single exclusive buyer.

Energía XXI says the incident has not impacted its operations or services, so customers may continue to enjoy the same level of services without risk.

The company promised to directly notify affected customers in the coming days if the ongoing investigation uncovers additional details about the incident. (Bill Toulas / Bleeping Computer)

Related: Endesa, Cyber Express, Tech Radar, Sur In English, Canarian Weekly, Security Week, The Local

Personal finance platform Betterment fell victim to an online attack that allowed an unauthorized individual to send some customers a “fraudulent, crypto-related message,” the company said.

The person used social engineering to infiltrate third-party software platforms that Betterment uses for marketing and operations.

Betterment said it contacted affected customers and advised them to disregard the message, which was sent on Friday. However, Betterment believes the alleged fraudster was able to access customer information, including names, email addresses, physical addresses, phone numbers, and birth dates. (Emily Mason / Bloomberg)

Related:  TechCrunch, The Verge, Betterment, PYMNTS, TechRepublic, Cryptopolitan, Digital Watch Observatory, CityWire, Cyber Insider, CryptoRank

The Amsterdam Court of Appeal sentenced a 44-year-old Dutch national to seven years in prison for multiple crimes, including computer hacking and attempted extortion.

The man was arrested in 2021 and convicted in 2022 by the Amsterdam District Court, but he appealed the sentence because authorities had unlawfully intercepted his communications, deriving incriminating evidence.

These communications occurred on the end-to-end encrypted chat service Sky ECC. Europol 'cracked' the service in 2021, which led to the arrest of the CEO and multiple users—the actions deriving from the operation extended into last year.

While the court relieved the defendant of one drug-related charge concerning the import of 5,000 kg of cocaine, it maintained the original conviction and the other charges. (Bill Toulas / Bleeping Computer)

Related: Amsterdam Court of Appeal, The Record, The Register, Databreaches.net

Kyowon Group, a Korean conglomerate known for its after-school learning programs and home appliance businesses, said it had shut down parts of its internal network after detecting what it believes to be a ransomware attack and is investigating whether any customer data was compromised.

Several websites operated by Kyowon Group affiliates were unavailable as of Monday.

Kyowon Group said it detected abnormal activity in some internal systems at around 8 a.m. Saturday, and immediately took steps to isolate its internal network and block access.

It said it is restoring systems and conducting security checks.

The company reported the suspected breach to the Korea Internet & Security Agency and relevant investigative authorities shortly after identifying the incident. (KIM EUN-BIN / Korea JoongAng Daily)

Related: Chosun Biz, Korea Tech Desk, Tech Observer

Researchers at Trellix report that hackers over the past six months have relied increasingly more on the browser-in-the-browser (BitB) method to trick users into providing Facebook account credentials.

The BitB phishing technique was developed by security researcher mr.d0x in 2022. Cybercriminals later adopted it in attacks targeting various online services, including Facebook and Steam.

Trellix researchers monitoring malicious activity say that threat actors steal Facebook accounts to spread scams, harvest personal data, or commit identity fraud. With more than three billion active users, the social network is still a prime target for fraudsters.

In a BitB attack, users who visit attacker-controlled webpages are presented with a fake browser pop-up containing a login form.

The pop-up is implemented using an iframe that imitates the authentication interface of legitimate platforms and can be customized with a window title and URL that make the deception more challenging to detect.

According to Trellix, recent phishing campaigns targeting Facebook users impersonate law firms claiming copyright infringement, threatening imminent account suspension, or Meta security notifications about unauthorized logins.

To avoid detection and to increase the sense of legitimacy, cybercriminals added shortened URLs and fake Meta CAPTCHA pages.

In the final stage of the attack, victims are prompted to log in by entering their Facebook credentials in a fake pop-up window.

In parallel, Trellix discovered a high number of phishing pages hosted on legitimate cloud platforms like Netlify and Vercel, which mimic Meta's Privacy Center portal, redirecting users to pages disguised as appeal forms that collected personal information. (Bill Toulas / Bleeping Computer)

Related: Trellix, GBHackers, Techzine, Cyber Security News, Cyber Press, Help Net Security, Silicon Angle

Researchers at Darktrace report that cybercriminals are leveraging reports of Venezuelan President Nicolás Maduro’s arrest on January 3, 2025, to distribute backdoor malware through a sophisticated social engineering campaign.

The threat actors likely used spear-phishing emails containing a ZIP archive titled “US now deciding what’s next for Venezuela.zip”.

Inside the archive, victims find an executable file named “Maduro to be taken to New York.exe” alongside a malicious dynamic-link library (DLL) called “kugou.dll”.

The executable is actually a legitimate KuGou binary, a Chinese streaming platform, that has been weaponized to load the malicious DLL via DLL search-order hijacking.

After the executable runs, a dialog box urges users to restart their computer, and if they don’t comply, the malware forces a system restart.

This campaign follows a well-established pattern of exploiting major world events for malicious purposes.

Similar tactics have been observed in campaigns related to the Ukraine war, with threat actors using prisoner-of-war references in phishing emails.

The Chinese threat group Mustang Panda has repeatedly employed comparable techniques, using lures about Ukraine, Tibet conventions, the South China Sea, and Taiwan to deploy backdoors.

While the tactics, techniques, and procedures show similarities to Mustang Panda operations, researchers emphasize there is insufficient evidence to attribute this campaign to a specific threat group definitively. (Divya / GBHackers)

Related: Darktrace, SC Media

The US Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to secure their systems against a high-severity Gogs vulnerability that was exploited in zero-day attacks.

Designed as an alternative to GitLab or GitHub Enterprise and written in Go, Gogs is often exposed online for remote collaboration.

Tracked as CVE-2025-8110, this remote code execution (RCE) security flaw stems from a path traversal weakness in the PutContents API. It allows authenticated attackers to bypass protections implemented for a previously patched RCE bug (CVE-2024-55947) by overwriting files outside the repository via symbolic links.
Attackers can abuse this flaw by creating repos containing symbolic links pointing to sensitive system files, and then writing data through the symlink using the PutContents API, overwriting targets outside the repository.

By overwriting Git configuration files, specifically the sshCommand setting, threat actors can force target systems to execute arbitrary commands.

Wiz Research discovered the vulnerability while investigating a malware infection affecting a customer's Internet-facing Gogs server in July and reported the flaw to Gogs maintainers on July 17. They acknowledged Wiz's report three months later, on October 30, and released patches for CVE-2025-8110 last week that add symlink-aware path validation at all file-write entry points. (Sergiu Gatlan / Bleeping Computer)

Related: CISA, Security Affairs, The Register, Cyber Press

Best Thing of the Day: Let the Lawsuits Begin!

Malaysia said it will take legal action against Elon Musk’s X for failing to protect users in the Southeast Asian nation, days after it banned the artificial intelligence tool Grok over its generation of sexualized content.

Worst Thing of the Day: How to Destroy a Great Military

Defense Secretary Pete Hegseth said that Elon Musk’s artificial intelligence chatbot Grok will join Google’s generative AI engine in operating inside the Pentagon network, as part of a broader push to feed as much of the military’s data as possible into the developing technology.

Closing Thought