A threat actor is claiming to possess hundreds of internal Dynatrace repositories allegedly obtained through a compromised developer personal access token, offering the dataset for sale while asserting it contains extensive infrastructure, deployment, and employee information.
The listing, posted on a cybercrime forum, advertises what the seller describes as a dump of Dynatrace’s internal GitHub organization. According to the post, the archive contains 246 repositories totaling approximately 8.46 GB in compressed form and more than 14 GB uncompressed.
Dynatrace is a publicly traded software company specializing in observability, application performance monitoring, and cloud infrastructure monitoring services used by enterprise organizations worldwide.
Actor claims access originated from developer token
According to the forum post, the repositories were allegedly obtained through a developer personal access token. The threat actor claims the data provides extensive visibility into Dynatrace’s internal infrastructure, deployment workflows, and operational architecture.
The seller explicitly states the material is not being marketed as an initial access opportunity, instead describing it as infrastructure intelligence that could allegedly assist attackers who already have access to company systems or are attempting to gain access.
The listing claims the repositories contain:
- Infrastructure topology information
- CI/CD pipeline configurations
- Kubernetes cluster management tooling
- ArgoCD deployment infrastructure
- Vault architecture and secret management references
- Cloud account configuration data
- Container signing infrastructure
- Terraform modules and Helm configurations
- Internal platform management tools
- Infrastructure automation repositories
- Observability and monitoring components
- Employee GitHub identities and corporate email addresses
The actor further claims the dataset includes more than 1,000 employee records as well as documentation related to infrastructure operations and deployment processes.
Infrastructure intelligence could retain value even after remediation
Unlike many breach claims focused on customer databases, the alleged Dynatrace dataset primarily consists of infrastructure and operational information.
If authentic, such information could potentially provide attackers with detailed insight into deployment workflows, cloud architecture, administrative systems, and development processes. While credentials and access tokens can typically be revoked, architectural intelligence often remains valuable long after an incident is discovered.
The seller acknowledges that some of the allegedly exposed credentials and tokens may no longer be valid, but argues that the broader infrastructure mapping remains useful regardless of credential status.
The claim follows a growing number of incidents involving internal repositories and development environments, including Grafana’s confirmed GitHub codebase theft following a credential compromise and the alleged theft of Cisco source code linked to the Trivy supply chain attack.
Authenticity remains unverified
The forum post includes screenshots that purportedly show repository contents and employee information. However, BreachNews could not independently verify the authenticity of the alleged dataset, the scope of the claimed access, or whether the repositories originated from Dynatrace’s internal GitHub organization.
The threat actor has not publicly released the full dataset and is instead advertising it for sale.
The post also does not establish whether any customer environments, customer data, or production systems were directly compromised.
Dynatrace has not issued public statement
Dynatrace had not issued any public statement regarding the claim at time of publication.
BreachNews will update this article if Dynatrace confirms the incident or provides additional information regarding the alleged repository exposure.
