This baby-faced teen is a key suspect in developing the software that was used in the massive security breach that hit as many as 110 million Target shoppers last holiday season, according to a shocking new report.

In addition, the malicious software, or malware, has infected the payment systems of six other retailers — a possible sign that a half-dozen other attacks are underway, a California cyber-security firm said in the report.

The firm, IntelCrawler, which has tracked the malware’s architect for months, said on Friday that its main suspect is a 17-year-old with “roots” in St.Petersburg, Russia, who goes by the online nickname “ree4.”

IntelCrawler CEO Andrew Komarov didn’t accuse the young man of the Target heist but said he believes he developed the software used to skim credit card numbers and other personal data from millions of Target shoppers.

The malware, known as BlackPOS, has been downloaded at least 60 times since it was created, Komarov said.

IntelCrawler has alerted US authorities and Visa of the fresh attack targets, Komarov said.

The CEO said he started investigating the malware case last March at the request of banking clients.

He pretended to be a “bad actor” seeking to acquire BlackPOS, which was originally called Kaptoxa, Russian slang for potato.

The architect was selling the malware for $2,000 a pop, but offered discounts to buyers who agreed to split the profits they reaped from the product, Komarov said.

After Target revealed that its massive security breach was due to BlackPOS, Komarov went back to track down the architect’s ID.