According to the DevOps Threats Unwrapped Report 2026, technology and software organizations remained the sectors most targeted by cybercriminals.
Highlighting persistent vulnerabilities in enterprise DevOps environments, the report points to recent breaches at companies like Orange, Red Hat, Jaguar Land Rover, and Nissan – confirming that the software supply chain remains a prime target.
The scale of these attacks is growing rapidly: incidents across top DevOps platforms rose by 21%, while total disruption time nearly doubled to 9,255 hours. Additionally, vendors patched 236 vulnerabilities in 2025 alone, with 59% rated as high or critical threats capable of enabling unauthorized access, privilege escalation, or system compromise.
Technology and Software are Primary Targets
Organizations operating in the technology and software sectors continue to be the primary targets for cybercriminals, largely because they hold valuable intellectual property, source code, and privileged access to downstream networks. Closely following them are the telecommunications and automotive industries, which experienced a sharp increase in malicious activity throughout 2025. Notably, many of these incidents were driven not by direct attacks, but by security breaches occurring within trusted vendors and third-party partners.
Rounding out the top three most targeted sectors are retail and consumer businesses, which remain highly vulnerable due to the massive volumes of customer data they process and the deeply interconnected nature of their digital ecosystems.
Key Incidents, Data Exposure & Lessons Learned
Jaguar Land Rover: Old Credentials, New Consequences
Attackers breached Jaguar Land Rover’s Atlassian Jira environment using years-old credentials previously stolen by infostealer malware. The actors exfiltrated 350 GB of data, including internal documents, source code, and employee information. Later in the year, a subsequent incident disrupted manufacturing operations for over a month, leading to financial losses exceeding $890 million.
Stale credentials remain a ticking time bomb, capable of causing delayed but catastrophic operational and financial fallout.
Red Hat: Third-Party Infrastructure Under Attack
Threat actors gained unauthorized access to a self-hosted GitLab environment used by Red Hat’s consulting division. The attackers accessed approximately 28,000 repositories, compromising customer engagement reports that contained architecture information, configurations, and credentials.
Environments perceived as “non-critical” frequently harbor highly sensitive assets that attackers can leverage for broader enterprise intrusion.
Orange: Back-Office Applications as Entry Points
In February 2025, the HellCat ransomware group exploited a non-critical back-office application at Orange Group. Maintaining access for over a month, they exfiltrated 12,000 files (~6.5 GB), including internal documents, source code, contracts, and employee emails.
Attackers are shifting focus toward secondary, less-monitored systems that organizations mistakenly classify as low risk.
Nissan: Collateral Supply-Chain Damage
Following the Red Hat incident, Nissan disclosed that data belonging to 21,000 customers had been exposed. The leak originated entirely from the compromised Red Hat-managed GitLab environment used to develop Nissan’s customer platform.
Security is only as strong as the weakest link; a breach at a trusted vendor instantly transforms into a supply-chain crisis for downstream customers.
Disney: AI-Themed Social Engineering
An employee inadvertently downloaded a malicious AI tool disguised as legitimate software. The embedded spyware captured corporate credentials, granting attackers access to Disney’s internal Slack. This resulted in the theft of 1.1 TB of data, including 44 million messages, source code, salaries, and unreleased projects.
The rise of AI-themed social engineering means a single compromised credential can lead to the wholesale exposure of internal communication and critical IP.
Microsoft, Google, IBM, PayPal, Tencent: Systemic Developer Tool Risks
A caching vulnerability in Microsoft Copilot led to the exposure of over 20,000 private GitHub repositories belonging to global tech giants like Microsoft, Google, IBM, PayPal, and Tencent. The flaw leaked sensitive assets, including API tokens, internal packages, and proprietary code.
AI-driven development workflows embed severe supply-chain risks, proving that a single anomaly in a widely adopted tool can instantly compromise thousands of organizations.
Key Takeaways: What the Data Shows
The most targeted industries in 2025 were not necessarily the least secure. They were the industries most dependent on software development, cloud infrastructure, automation, and third-party ecosystems.
Across all sectors, we can see the same pattern:
- trusted platforms became attack vectors.
- development environments became high-value targets.
- third-party relationships amplified risk.
- long-lived credentials enabled persistent access.
- supply-chain dependencies increased the blast radius of incidents.
The lesson for 2026 is clear… Organizations must move beyond traditional perimeter-focused security and invest in identity protection, DevOps resilience, supply-chain security, and rapid recovery capabilities. Because in today’s threat landscape, attackers are no longer simply exploiting vulnerabilities. They are exploiting trust.
To download the full report, visit GitProtect.io.
About GitProtect.io
GitProtect.io by Xopero Software is an automated and manageable backup and recovery solution for all Jira, Bitbucket, GitHub, GitLab, Azure DevOps, and more DevOps stack data. It ensures data accessibility and seamless workflow for Jira Admins, DevOps, and Security Teams. Trusted by Security Teams, it helps to meet the Cloud Shared Responsibility Model, comply with security standards, and empower them with audit-ready governance, advanced reporting, and best-in-class security controls. The company’s solutions are used in over 60 countries by more than 2,000 organizations, including Fortune 500 companies.
Related
This entry was posted on June 24, 2026 at 7:53 am and is filed under Commentary with tags GitProtect.io. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Guest Post: Anatomy of a DevOps Breach: How Global Brands Became Cyber Targets
According to the DevOps Threats Unwrapped Report 2026, technology and software organizations remained the sectors most targeted by cybercriminals.
Highlighting persistent vulnerabilities in enterprise DevOps environments, the report points to recent breaches at companies like Orange, Red Hat, Jaguar Land Rover, and Nissan – confirming that the software supply chain remains a prime target.
The scale of these attacks is growing rapidly: incidents across top DevOps platforms rose by 21%, while total disruption time nearly doubled to 9,255 hours. Additionally, vendors patched 236 vulnerabilities in 2025 alone, with 59% rated as high or critical threats capable of enabling unauthorized access, privilege escalation, or system compromise.
Technology and Software are Primary Targets
Organizations operating in the technology and software sectors continue to be the primary targets for cybercriminals, largely because they hold valuable intellectual property, source code, and privileged access to downstream networks. Closely following them are the telecommunications and automotive industries, which experienced a sharp increase in malicious activity throughout 2025. Notably, many of these incidents were driven not by direct attacks, but by security breaches occurring within trusted vendors and third-party partners.
Rounding out the top three most targeted sectors are retail and consumer businesses, which remain highly vulnerable due to the massive volumes of customer data they process and the deeply interconnected nature of their digital ecosystems.
Key Incidents, Data Exposure & Lessons Learned
Jaguar Land Rover: Old Credentials, New Consequences
Attackers breached Jaguar Land Rover’s Atlassian Jira environment using years-old credentials previously stolen by infostealer malware. The actors exfiltrated 350 GB of data, including internal documents, source code, and employee information. Later in the year, a subsequent incident disrupted manufacturing operations for over a month, leading to financial losses exceeding $890 million.
Stale credentials remain a ticking time bomb, capable of causing delayed but catastrophic operational and financial fallout.
Red Hat: Third-Party Infrastructure Under Attack
Threat actors gained unauthorized access to a self-hosted GitLab environment used by Red Hat’s consulting division. The attackers accessed approximately 28,000 repositories, compromising customer engagement reports that contained architecture information, configurations, and credentials.
Environments perceived as “non-critical” frequently harbor highly sensitive assets that attackers can leverage for broader enterprise intrusion.
Orange: Back-Office Applications as Entry Points
In February 2025, the HellCat ransomware group exploited a non-critical back-office application at Orange Group. Maintaining access for over a month, they exfiltrated 12,000 files (~6.5 GB), including internal documents, source code, contracts, and employee emails.
Attackers are shifting focus toward secondary, less-monitored systems that organizations mistakenly classify as low risk.
Nissan: Collateral Supply-Chain Damage
Following the Red Hat incident, Nissan disclosed that data belonging to 21,000 customers had been exposed. The leak originated entirely from the compromised Red Hat-managed GitLab environment used to develop Nissan’s customer platform.
Security is only as strong as the weakest link; a breach at a trusted vendor instantly transforms into a supply-chain crisis for downstream customers.
Disney: AI-Themed Social Engineering
An employee inadvertently downloaded a malicious AI tool disguised as legitimate software. The embedded spyware captured corporate credentials, granting attackers access to Disney’s internal Slack. This resulted in the theft of 1.1 TB of data, including 44 million messages, source code, salaries, and unreleased projects.
The rise of AI-themed social engineering means a single compromised credential can lead to the wholesale exposure of internal communication and critical IP.
Microsoft, Google, IBM, PayPal, Tencent: Systemic Developer Tool Risks
A caching vulnerability in Microsoft Copilot led to the exposure of over 20,000 private GitHub repositories belonging to global tech giants like Microsoft, Google, IBM, PayPal, and Tencent. The flaw leaked sensitive assets, including API tokens, internal packages, and proprietary code.
AI-driven development workflows embed severe supply-chain risks, proving that a single anomaly in a widely adopted tool can instantly compromise thousands of organizations.
Key Takeaways: What the Data Shows
The most targeted industries in 2025 were not necessarily the least secure. They were the industries most dependent on software development, cloud infrastructure, automation, and third-party ecosystems.
Across all sectors, we can see the same pattern:
The lesson for 2026 is clear… Organizations must move beyond traditional perimeter-focused security and invest in identity protection, DevOps resilience, supply-chain security, and rapid recovery capabilities. Because in today’s threat landscape, attackers are no longer simply exploiting vulnerabilities. They are exploiting trust.
To download the full report, visit GitProtect.io.
About GitProtect.io
GitProtect.io by Xopero Software is an automated and manageable backup and recovery solution for all Jira, Bitbucket, GitHub, GitLab, Azure DevOps, and more DevOps stack data. It ensures data accessibility and seamless workflow for Jira Admins, DevOps, and Security Teams. Trusted by Security Teams, it helps to meet the Cloud Shared Responsibility Model, comply with security standards, and empower them with audit-ready governance, advanced reporting, and best-in-class security controls. The company’s solutions are used in over 60 countries by more than 2,000 organizations, including Fortune 500 companies.
Share this:
Like this:
Related
This entry was posted on June 24, 2026 at 7:53 am and is filed under Commentary with tags GitProtect.io. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.