✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Pharmaceuticals
Breach intelligence, attack campaigns, and threat reports targeting the Pharmaceuticals sector.
Explore Other Sectors
Pharmaceuticals Threat Reports
Novo Nordisk 2026 Breach: A Wake-Up Call for Software Development Security
In March 2026, Novo Nordisk, a leading pharmaceutical company, experienced a significant security breach initiated through an exposed GitHub personal access token found in client-side JavaScript on a subdomain. The threat group FulcrumSec exploited this token to clone private repositories, harvest additional credentials, and infiltrate deeper into the company's network. Over a span of more than two months, the attackers exfiltrated approximately 1.3TB of sensitive data, including source code, proprietary drug information, clinical trial data, internal AI models, and personal information of healthcare professionals and clinical trial participants. The breach was publicly disclosed on June 11, 2026, after unauthorized access to internal IT systems was detected. This incident highlights the critical vulnerabilities in software development pipelines, particularly concerning secrets management and the security of code repositories. The reliance on hardcoded credentials and improperly scoped access keys within development environments presents a substantial risk. Organizations are urged to treat development platforms as production systems, enforce stringent secrets management practices, and implement robust monitoring to prevent similar breaches.
6 days ago
Kill Chain
Critical Vulnerabilities in Apollo Pharmacy's Blood Glucose Monitoring System APG-01 BT
In June 2026, vulnerabilities were identified in the Apollo Pharmacy Blood Glucose Monitoring System APG-01 BT, specifically affecting version 0x0110_v1.1.0. These vulnerabilities, CVE-2026-50034 and CVE-2026-52866, allow attackers within Bluetooth Low Energy (BLE) range to intercept sensitive health data and disrupt device connectivity. The first vulnerability enables unauthorized access to glucose measurement values, while the second allows an attacker to monopolize the device's BLE connection, preventing legitimate use. These issues highlight the critical need for robust security measures in medical devices, especially those utilizing wireless communication protocols. As healthcare increasingly relies on connected devices, ensuring the confidentiality and availability of patient data is paramount to maintaining trust and compliance with regulatory standards.
6 days ago
Kill Chain
iRhythm Data Breach 2026: A Wake-Up Call for Healthcare Cybersecurity
In June 2026, iRhythm Holdings, a digital healthcare company specializing in cardiac monitoring, experienced a significant data breach. On June 8, unauthorized activity was detected in third-party-hosted business applications, leading to the exfiltration of sensitive information, including proprietary data and patient protected health information (PHI). The attackers, employing social engineering tactics, contacted iRhythm on June 9, demanding a ransom to prevent public disclosure of the stolen data. The company promptly activated its cybersecurity response plan, engaged external experts, and confirmed the breach's materiality due to the volume of affected data. Importantly, iRhythm reported no impact on its products, clinical or medical device systems, patient safety, manufacturing and distribution operations, or financial reporting systems. ([streetinsider.com](https://www.streetinsider.com/Reuters/iRhythm%2Bdiscloses%2Bcyber%2Bincident%2C%2Bsays%2Bno%2Bimpact%2Bon%2Bdevice%2Bsystems%2C%2Bpatient%2Bsafety/26648941.html?utm_source=openai)) This incident underscores the escalating threat landscape targeting healthcare organizations, particularly through social engineering and ransomware attacks. The breach highlights the critical need for robust cybersecurity measures, comprehensive employee training to recognize and prevent social engineering attempts, and stringent data protection protocols to safeguard sensitive patient information.
1 week ago
Kill Chain
UNC6508's Prolonged Infiltration of REDCap Servers Exposes Medical Research Vulnerabilities
Between September 2023 and November 2025, the Chinese state-sponsored group UNC6508 infiltrated vulnerable REDCap servers at a North American medical research institution. They deployed custom malware named Infinitered, which harvested credentials and established a backdoor, enabling prolonged data exfiltration. The attackers exploited REDCap's widespread use in medical research to access sensitive information undetected for over a year. This incident underscores the persistent threat posed by nation-state actors targeting critical research sectors. The sophisticated methods employed, including the abuse of legitimate features for data exfiltration, highlight the evolving tactics in cyberespionage campaigns.
1 week ago
Kill Chain
Novo Nordisk's 2026 Data Breach: A Wake-Up Call for Pharma Cybersecurity
In June 2026, Danish pharmaceutical company Novo Nordisk experienced a cybersecurity incident resulting in unauthorized access to certain internal IT systems. The breach led to the external copying of non-public data, including pseudonymized patient information from some clinical trials. This data encompassed patient IDs, trial participation details, sex, year of birth, biomarkers, health data, and lifestyle factors. Importantly, the data did not include direct identifiers such as patient names, mitigating the risk of immediate patient identification. The company promptly launched an investigation with external cybersecurity experts and notified relevant authorities. While certain internal systems were temporarily taken offline, Novo Nordisk confirmed that core business operations remained unaffected. This incident underscores the persistent threat of cyberattacks targeting sensitive health data within the pharmaceutical industry. Organizations handling such data must continually enhance their cybersecurity measures to protect against unauthorized access and data breaches. The event also highlights the importance of rapid response and transparent communication in maintaining trust and compliance in the face of security incidents.
1 week ago
Kill Chain
Dark Web Vendor Sentenced to Over 26 Years for Drug Trafficking
In June 2026, Darren Hughes, a 39-year-old from San Jose, California, was sentenced to over 26 years in federal prison for trafficking fentanyl and methamphetamine via the dark web platform Nemesis Market. Hughes operated a vendor store on Nemesis Market, offering free samples of methamphetamine to attract clients. Between 2023 and 2024, he sold methamphetamine and fentanyl pills to undercover law enforcement agents on five occasions, accepting cryptocurrency as payment. His arrest in June 2024 led to the seizure of approximately 672 grams of methamphetamine and a loaded 9mm 'ghost gun' without a serial number. This case underscores the persistent threat posed by dark web marketplaces in facilitating the global distribution of illegal narcotics. Despite the takedown of Nemesis Market in March 2024, similar platforms continue to emerge, highlighting the ongoing challenges law enforcement faces in combating online drug trafficking.
2 weeks ago
Kill Chain
Navigating the New Era of AI-Driven Cybersecurity Threats
In early 2026, Moderna's development environment experienced a significant disruption when XBOW's autonomous offensive security platform identified and exploited a vulnerability, leading to a complete system takedown. This incident underscored the rapid advancements in AI-driven vulnerability discovery, where models like Claude Mythos have demonstrated the capability to autonomously uncover and exploit critical vulnerabilities across various systems. The accelerated pace of AI in identifying security flaws has outstripped traditional remediation processes, posing challenges for organizations in maintaining secure infrastructures. As AI continues to evolve, the cybersecurity landscape faces a pressing need to adapt, emphasizing the importance of integrating AI-driven tools for both offensive and defensive strategies to effectively manage and mitigate emerging threats.
3 weeks ago
Kill Chain
Critical Vulnerability in Siemens gWAP: CVE-2026-40175
In May 2026, Siemens disclosed a critical vulnerability (CVE-2026-40175) in its gPROMS Web Applications Publisher (gWAP), stemming from the integration of a vulnerable version of the Axios HTTP client library. This flaw allows attackers to exploit prototype pollution in third-party dependencies, potentially leading to remote code execution or full cloud environment compromise. Siemens has released version 3.1.1 to address this issue and strongly recommends users update immediately. This incident underscores the risks associated with third-party software components in supply chains. Organizations must remain vigilant, ensuring all integrated libraries are up-to-date and secure to prevent similar vulnerabilities from being exploited.
1 month ago
Kill Chain
West Pharmaceutical Services Ransomware Attack Disrupts Global Operations
In May 2026, West Pharmaceutical Services, a leading manufacturer of pharmaceutical packaging and delivery systems, experienced a significant ransomware attack. Detected on May 4, the attack involved unauthorized data exfiltration and system encryption, leading the company to proactively shut down and isolate affected on-premise infrastructure globally. This containment measure temporarily disrupted business operations worldwide. The company engaged Palo Alto Networks' Unit 42 for incident response and notified law enforcement. As of May 11, core enterprise systems had been restored, and critical shipping, receiving, and manufacturing processes had restarted at some sites; however, a complete restoration timeline had not been finalized. The financial impact of the incident remains under assessment. This incident underscores the escalating threat of ransomware attacks targeting critical infrastructure sectors, including pharmaceutical manufacturing. Organizations in these sectors must prioritize robust cybersecurity measures, incident response planning, and employee training to mitigate the risk of such disruptive attacks.
1 month ago
Kill Chain
Insider Threats: The 2023 ALPHV Ransomware Exploits by Cybersecurity Professionals
In 2023, former cybersecurity professionals Ryan Goldberg and Kevin Martin exploited their expertise to conduct ransomware attacks using the ALPHV/BlackCat variant. Over a six-month period, they targeted multiple U.S. organizations, including a Florida medical company, a Maryland pharmaceutical firm, a California doctor's office, a California engineering company, and a Virginia drone manufacturer. Their actions led to significant operational disruptions and financial losses, with at least one victim paying a $1.3 million ransom. ([justice.gov](https://www.justice.gov/opa/pr/two-americans-who-attacked-multiple-us-victims-using-alphv-blackcat-ransomware-sentenced?utm_source=openai)) This case underscores the alarming trend of insiders leveraging privileged access and knowledge for malicious purposes. It highlights the critical need for robust internal controls, continuous monitoring, and stringent access management to mitigate insider threats within organizations.
1 month ago
Kill Chain
Unveiling Fast16: The Pre-Stuxnet Cyber Sabotage Tool
In 2005, a sophisticated malware named Fast16 was deployed, targeting high-precision engineering and simulation software such as LS-DYNA 970, PKPM, and MOHID. This malware subtly altered computational processes, leading to inaccurate results that could compromise infrastructure integrity, potentially causing engineering degradation or catastrophic failures. Fast16 propagated through networks by exploiting weak credentials on Windows 2000 and XP systems, and it was designed to evade major antivirus tools. Evidence suggests that Fast16 was state-sponsored, likely originating from the United States, and was used against Iran's nuclear program years before the discovery of Stuxnet. ([tomshardware.com](https://www.tomshardware.com/software/security-software/decades-old-pre-stuxnet-cyber-sabotage-tool-breaks-cover-nsa-listed-it-as-nothing-to-see-here-fast16-targeted-nuclear-reactors-dam-design-and-other-high-precision-civil-engineering-software-years-before-stuxnet-broke-cover?utm_source=openai)) The discovery of Fast16 highlights the long-standing use of cyber sabotage tools in geopolitical conflicts. Its existence underscores the need for robust cybersecurity measures to protect critical infrastructure from sophisticated, state-sponsored threats that can remain undetected for years.
1 month ago
Kill Chain
Medtronic Confirms 2026 Data Breach by ShinyHunters
In April 2026, Medtronic, the world's largest medical device company, confirmed a data breach involving unauthorized access to certain corporate IT systems. The cybercriminal group ShinyHunters claimed responsibility, alleging the theft of over 9 million records containing personally identifiable information (PII) and terabytes of internal corporate data. Medtronic stated that the breach did not impact their products, patient safety, or business operations, emphasizing that the affected corporate IT systems are separate from those supporting their products and manufacturing operations. The company is conducting an ongoing investigation to determine the full scope of the incident and any potential exposure of personal data. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/medtronic-confirms-breach-after-hackers-claim-9-million-records-theft/?utm_source=openai)) This incident underscores the escalating threat posed by cyber extortion groups like ShinyHunters, who have been increasingly targeting large organizations across various sectors. The breach highlights the critical importance of robust cybersecurity measures and the need for organizations to remain vigilant against sophisticated cyber threats that can compromise sensitive data and disrupt operations.
1 month ago
Kill Chain
Stop Active Cloud Data Exfiltration
Aviatrix Breach Lock helps teams instantly identify what data is leaving the environment, from which workload, and where it’s going — during an active breach.
Looking for threats in a different sector?
Browse All Threat Reports