Massive Source Code Leak Exposes Hundreds of Companies – What Went Wrong?

According to BleepingComputer, infrastructure misconfigurations caused source code from dozens of companies across technology, finance, e‑commerce, and manufacturing sectors to be leaked.

The affected companies include Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, HiSilicon, Nintendo, Disney, Johnson Controls and many others, with the list still growing.

One of the earliest and most publicized exposures involved Nintendo, where leaked repositories contained classic game prototypes such as Super Mario World, a cancelled Zelda 2 remake, Super Mario 64, and The Legend of Zelda: Ocarina of Time.

Swiss developer Tillie Kottmann collected these leaks through various third‑party sources and discovered numerous DevOps tool configuration errors that allowed unauthorized access to the code.

The leaked source code was posted to a public GitLab repository marked “exconfidential” and “Confidential & Proprietary”.

Security researcher Bank Security estimates the repository contains code from over 50 companies; some directories are empty, while others contain hard‑coded credentials that could be used to create backdoors.

Kottmann removed obvious hard‑coded credentials before publishing to minimize damage, though he did not contact every affected company in advance, stating he tried to limit the negative impact.

Several companies, such as Daimler AG (Mercedes‑Benz’s parent) and Lenovo, have requested removal and had their code taken down; other firms remain unaware or even consider the leak “interesting”.

ImmuniWeb CEO Ilia Kolochenko notes that, from a technical standpoint, the leak is not extremely severe, but it underscores the widespread issue of misconfigured DevOps tools exposing source code.

Kolochenko recommends that enterprises modify and continuously monitor their DevOps processes, transforming them into agile DevSecOps to protect their codebases.