DevOps breaches hit tech firms in trust chain attacks

GitProtect has published its DevOps Threats Unwrapped Report 2026, which identifies technology and software companies as the sectors most often targeted by cyber attackers.

The findings focus on a series of breaches involving Jaguar Land Rover, Disney, Orange, Red Hat and Nissan, as well as a flaw that exposed private GitHub repositories linked to Microsoft, Google, IBM, PayPal and Tencent.

Incidents across leading DevOps platforms rose by 21%, while total disruption time nearly doubled to 9,255 hours. Vendors also patched 236 vulnerabilities in 2025, with 59% classified as high or critical.

The report argues that the main pattern was not simply weak perimeter defences, but the misuse of trust within software development ecosystems. Development environments, third-party suppliers, long-lived credentials and internal collaboration systems repeatedly served as routes into larger organisations.

Sector focus

Technology and software companies topped the list of targeted industries because they hold source code, intellectual property, and access to customer and partner systems. Telecommunications and automotive companies followed. Retail and consumer businesses also featured because of the volume of customer information they hold and their reliance on interconnected digital systems.

Several cases in the report show attackers moving through suppliers or secondary systems rather than breaking directly into the most visible parts of a business. That pattern increases the impact of a breach because one compromise can spread to customers, contractors or connected brands.

Jaguar Land Rover

In one of the most costly examples, attackers breached Jaguar Land Rover's Atlassian Jira environment using credentials stolen years earlier by infostealer malware. They took 350 GB of data, including internal documents, source code and employee information.

Later in the year, a separate incident disrupted manufacturing operations for more than a month. The report put the resulting financial losses at more than USD $890 million.

The case highlights a problem security teams have struggled with for years: old credentials can remain active long after the original compromise and still provide a path into critical systems.

Third-party risk

Red Hat's consulting division was another example cited in the report. Attackers gained unauthorised access to a self-hosted GitLab environment and reached about 28,000 repositories, including customer engagement reports containing architecture details, configurations and credentials.

The impact did not stop there. Nissan later disclosed that data belonging to 21,000 customers had been exposed through the same Red Hat-managed GitLab environment used to develop its customer platform.

That sequence shows how a supplier breach can quickly become a downstream customer incident. A compromise in a development environment can affect organisations that were not directly attacked.

Back-office route

Orange was cited as an example of attackers exploiting systems businesses may regard as less important. The HellCat ransomware group used a non-critical back-office application and maintained access for more than a month.

During that period, the attackers took 12,000 files, or about 6.5 GB of data, including internal documents, source code, contracts and employee emails. The case suggests that systems outside the main production stack can still provide a useful foothold for intruders.

AI lure

Disney's case points to a different method. An employee downloaded a malicious AI tool that appeared to be legitimate software, and the spyware captured corporate credentials that gave attackers access to the company's internal Slack environment.

The breach led to the theft of 1.1 TB of data, including 44 million messages, source code, salary details and unreleased projects. The report describes AI-themed social engineering as a growing risk because it can bypass technical controls by persuading staff to install or approve malicious tools.

Developer tools

The report also points to broader weaknesses in widely used development software. A caching vulnerability in Microsoft Copilot exposed more than 20,000 private GitHub repositories associated with companies including Microsoft, Google, IBM, PayPal and Tencent.

The exposed material included API tokens, internal packages and proprietary code. The incident underlines how flaws in a popular tool can affect many organisations at once, particularly when those tools sit close to source code and developer workflows.

The report's central conclusion is that software supply chains are now among the most important security battlegrounds for large businesses. Rather than relying only on direct attacks against a single company, attackers are increasingly exploiting trusted tools, partner access and internal identities to reach sensitive systems and data.

Across the incidents reviewed, the common thread was that trusted platforms became attack vectors, development environments became high-value targets, third-party relationships widened the impact of breaches, and long-lived credentials enabled persistent access.