Welcome to the DevOps multiverse. Here, code is currency, while platforms like GitHub, Jira, and Confluence power critical infrastructure. Here, even the smallest misstep can trigger a chain reaction measured in gigabytes of leaked data, thousands of compromised credentials, and millions of dollars in financial losses, not to mention reputational damage.

These risks aren’t theoretical. Breaches at household-name enterprises expose a harsh truth: DevOps pipelines have become the new battleground for cyberattacks. What connects Mercedes-Benz, Apple, Cisco, and The New York Times? All became victims of DevOps security failures, proving that even tech giants aren’t immune when code meets cybersecurity complacency.

Key insights:

Continue reading for a detailed analysis of these breaches, or check the complete CISO’s Guide to DevOps Threats

Global Cybersecurity Landscape at a Glance

Globally, cyber attacks occur with alarming frequency – roughly one every 39 seconds – amounting to over 2,000 incidents each day. This relentless pace fuels a massive economic toll: cybercrime is projected to cost the global economy $10.5 trillion annually by 2025, climbing to $15.63 trillion by 2029, according to Cybersecurity Ventures. The United States alone accounts for 59% of ransomware attacks, and 70% of data breaches cause significant operational disruptions. The ripple effect doesn’t stop at the breached company — it also hits business partners, clients, and entire supply chains, amplifying the overall impact of the attack.

The notion of complete immunity has always been a myth. Even the biggest organizations remain vulnerable.

Mercedes: 270GB of proprietary code exposed via leaked GitHub token

Due to a mishandled GitHub token, Mercedes-Benz’s source code was exposed to the public. A Mercedes-Benz employee leaked a GitHub token in their repository, granting unrestricted access to all source code on the company’s GitHub Enterprise server. During the exposure, attackers could have accessed critical information, including API keys, design documents, database credentials, and other sensitive data, which could have potentially caused financial, legal, and reputational damage. 

New York Times: 270GB internal data leaked, including Wordle source code

270GB of internal data belonging to The New York Times was exposed, including alleged source code for Wordle, internal communications, and sensitive authentication credentials linked to over 5,000 GitHub repositories. The New York Times confirmed that the incident involved the inadvertent exposure of credentials to a third-party code platform. However, the organization stated that no unauthorized access to its internal systems had been detected and that operations remained unaffected.

Apple: Internal Jira & Confluence tools leaked

In June 2024, a threat actor known as IntelBroker claimed responsibility for a breach of Apple’s internal authentication infrastructure. The leaked data included proprietary plugins and configurations used to integrate AppleConnect-SSO with Jira and Confluence, posing significant supply chain risks. According to cybersecurity firm AHCTS, the breach did not affect end-user services.

Disney: 2.5GB of corporate secrets stolen by Club Penguin fans

Club Penguin fans exploited Disney’s Confluence server to access old internal game data but inadvertently stole 2.5 GB of sensitive corporate information, including developer tools, internal infrastructure, advertising plans, and business documentation. The breach occurred using previously exposed credentials and included internal API endpoints, S3 bucket credentials, and links to developer resources, potentially increasing Disney’s exposure to further attacks.

Schneider Electric: 400K rows of user data stolen, $125K ransom demanded

Schneider Electric confirmed a breach involving its internal project tracking platform, hosted in an isolated environment. The threat actor, known as “Grep,” claims to have accessed the company’s Jira server using exposed credentials and stolen 40GB of data, including 400K rows of user information, 75K unique email addresses, and other critical project data. The stolen information reportedly includes details about projects, issues, and plugins, and the attackers have demanded $125,000 to prevent a data leak.

Cisco: GitHub breach leaked source code, AWS keys, and Jira tickets

Cisco confirmed that some files were stolen after hacker IntelBroker claimed access to source code, credentials, and other sensitive data via GitHub and a SonarQube project. While no internal systems were breached, the attacker exploited a public-facing DevHub used for customer resources. Cisco reported that only a limited number of files were exposed, with no sensitive personal or financial data found. 

WordPress: 390K+ credentials stolen via fake GitHub repo

A malicious GitHub repository enabled the exfiltration of 390K+ credentials, primarily targeting WordPress accounts, through a fake tool called “Yet Another WordPress Poster”. The repository, associated with a threat actor dubbed MUT-1244, also deployed malware via a rogue npm dependency and phishing emails. Victims included pentesters, security researchers, and malicious actors who inadvertently exposed sensitive data such as SSH private keys and AWS credentials. MUT-1244’s tactics included creating trojanized GitHub repositories hosting fake PoC exploit code and employing phishing emails to deliver payloads like cryptocurrency miners and data theft tools.

Fake WinRAR: The site distributed malware via GitHub

Security researchers at SonicWall uncovered a fake WinRAR website (winrar[.]co) hosting a malicious shell script designed to download further malware from a GitHub repo named “encrypthub.” The repository contained ransomware, crypto mining software, information stealers, and injection tools, with harvested system data sent to a Telegram account — illustrating the danger of typosquatting and weaponized open-source infrastructure.

Python: Leaked GitHub token threatened core PyPI repositories

Researchers at JFrog identified a leaked GitHub token embedded in a public Docker container, granting access to sensitive PyPI repositories. The token, belonging to PyPI admin Ee Durbin, was exposed due to misconfigured GitHub API usage. Although the token was quickly revoked, it posed a critical supply chain risk. Separately, Checkmarx reported malicious PyPI packages exfiltrating data via Telegram bots.

The untold impact of DevOps data leaks

While DevOps breaches at companies such as Mercedes-Benz, Apple, The New York Times, and Cisco often make headlines, the true cost of these incidents is rarely disclosed. 

At first glance, the impact may appear limited to brief negative press or a dent in reputation. But beneath the surface, the real price tag can be far more significant, ranging from:

  • costly data recovery and environmental restoration,
  • loss of competitive edge due to exposed code or strategic plans, disruptions to business continuity,
  • to potential regulatory penalties.

The bottom line? Most organizations downplay the full scope of these incidents in public statements. Yet the sheer scale of the leaks—hundreds of gigabytes of data, millions of records, and sensitive internal repositories—reveals a much deeper, and likely more damaging, reality.

To dive deeper into these incidents and uncover emerging trends in cyberattacks targeting DevOps environments—including threats like Lumma Stealer, NJRat, fake GitHub repositories, and GitLab exploits—read the full CISO’s Guide to DevOps Threats.

Nina Pączka, PR & Brand Manager at GitProtect
Nina Pączka is a PR & Brand Manager at GitProtect.io, where she also contributes as a content writer. With a degree in English Philology, she combines language expertise with strategic brand communication to create clear, engaging content tailored to various audiences. Her writing emphasizes logic and storytelling over technical jargon, making complex cybersecurity topics more accessible and compelling. From press releases and thought leadership pieces to blog posts and media commentary, her content bridges the gap between technology and communication.

Comments are closed.

You may also like