The Most Targeted Industries: What DevOps Teams Can Learn from Recent Incidents

Which industries are attracting the most attention from cybercriminals today?

According to the DevOps Threats Unwrapped Report 2026, Technology and Software organizations remained the most targeted sector. This finding is consistent with our previous research in the 2024 CISO’s Guide to DevOps Threats, showing that attackers continue to focus heavily on organizations that build, manage, and distribute software.

What changed, however, was the composition of the industries that followed close behind.

Telecommunications and automotive companies experienced a significant rise in attacks, overtaking sectors such as fintech and media compared to previous years. Retail and consumer businesses also remained under sustained pressure as attackers increasingly targeted customer data, source code repositories, cloud infrastructure, and operational systems.

The common denominator across all these incidents was not simply vulnerable software. It was trust.

Attackers increasingly abused trusted identities, development platforms, third-party relationships, repositories, and collaboration tools to gain access to sensitive environments.

Technology and Software is a primary target

Organizations operating in the technology and software sector continue to represent attractive targets because they often hold valuable intellectual property, source code, customer data, and privileged access to downstream systems. And several high-profile incidents throughout 2025 illustrate this trend.

A back-office application becomes the entry point

In February 2025, Orange Group confirmed a data breach affecting a non-critical back-office application. The attacker, linked to the HellCat ransomware group, claimed to have maintained access for more than a month before exfiltrating approximately 12K files (totaling ~6.5GB).

The stolen data reportedly included internal documents, source code, contracts, invoices, customer-related information, and employee email addresses.

The incident demonstrates a growing trend – attackers are increasingly targeting secondary systems that organizations often consider low risk.

Repository access leads to reconnaissance

Another example involved Salesloft’s Drift application. Attackers gained access to the company’s GitHub account and spent several months downloading repository content, modifying workflows, and conducting reconnaissance activities.

Although the intrusion was contained, it highlights how source code repositories remain valuable targets for attackers seeking credentials, infrastructure details, and opportunities for lateral movement.

Third-party development infrastructure under attack

One of the most significant incidents of 2025 involved Red Hat. Attackers gained access to a self-hosted GitLab environment used by the company’s consulting division. According to public reports, the threat actors claimed to have accessed data from approximately 28K repos, including customer engagement reports that potentially contained architecture information, configuration details, and credentials.

The incident reinforces a key lesson: environments perceived as “non-critical” frequently contain highly sensitive information that can be leveraged in broader attacks.

What should be the key lesson we learn? These cases reveal a consistent pattern.

Attackers are no longer focusing solely on production systems. They target consulting repositories, development environments, Jira instances, back-office applications, and third-party integrations. Why? As these systems often provide a lower-friction path into an organization’s broader ecosystem.

What should organizations do?

– apply Zero Trust principles across all environments
– segment development and consulting systems from core infrastructure
– enforce MFA and strong identity controls
– rotate shared credentials immediately after third-party incidents
– treat all repositories and collaboration platforms as potential attack surfaces

The “silver” goes to the Telecommunications and Automotive industries

The telecommunications and automotive sectors experienced a sharp increase in attacks throughout 2025. What’s interesting is that many incidents were connected not only to direct attacks but also to breaches occurring within trusted vendors and partners.

Collateral damage from a third-party breach

Following the Red Hat incident, Nissan disclosed that customer information belonging to approximately 21K customers had been exposed. The affected data originated from a Red Hat-managed GitLab environment used to develop a customer management platform.

Although Nissan found no evidence of misuse, the incident demonstrates how a compromise at one organization can quickly become a supply-chain problem affecting multiple downstream customers.

Old credentials, new consequences

Jaguar Land Rover became another high-profile victim. Attackers reportedly accessed the company’s Atlassian Jira environment using credentials stolen years earlier by infostealer malware. Those credentials remained valid long after the original compromise.

The attackers eventually exfiltrated approximately 350 GB of data, including internal documents, source code, Jira issues, and employee information.

Later in the year, JLR suffered another cyber incident that disrupted manufacturing operations, halted production for more than a month, and contributed to financial losses exceeding $890 million.

Git repositories as high-value targets

Europcar also experienced a significant breach after attackers gained access to its GitLab repositories containing mobile application source code and customer information.

The attackers reportedly obtained Android and iOS source code, SQL backups, environment configuration files, and customer records

The incident illustrates how repositories frequently contain much more than source code, often exposing credentials, infrastructure configurations, and sensitive business information.

What should be the key lesson we learn? The automotive and telecommunications sectors highlight the growing importance of supply-chain resilience.

What should organizations do?

– continuously monitor third-party risk
– regularly rotate credentials and tokens
– eliminate long-lived access
– protect development environments with the same rigor as production systems
– prepare recovery plans for vendor-related incidents

Retail and Consumer Businesses have “a proud” third place

The retail sector remains an attractive target because of its large volumes of customer information and highly interconnected systems.

One token, hundreds of repositories

Researchers discovered that a GitHub access token associated with Home Depot remained exposed for more than a year. The token reportedly provided access to hundreds of repositories connected to inventory management, cloud infrastructure, and order fulfillment systems.

The incident serves as a reminder that exposed credentials continue to represent one of the most common attack vectors in modern DevOps environments.

The bigger picture

The most targeted industries in 2025 were not necessarily the least secure. They were the industries most dependent on software development, cloud infrastructure, automation, and third-party ecosystems.

Across all sectors, we can see the same pattern:

• trusted platforms became attack vectors.
• development environments became high-value targets.
• third-party relationships amplified risk.
• long-lived credentials enabled persistent access.
• supply-chain dependencies increased the blast radius of incidents.

The lesson for 2026 is clear… Organizations must move beyond traditional perimeter-focused security and invest in identity protection, DevOps resilience, supply-chain security, and rapid recovery capabilities. Because in today’s threat landscape, attackers are no longer simply exploiting vulnerabilities. They are exploiting trust.

Read the full DevOps Threats Unwrapped Report 2026 and find out what other lessons we have learned from analyzing the threat landscape.