Executive Summary
In March 2026, Novo Nordisk, a leading pharmaceutical company, experienced a significant security breach initiated through an exposed GitHub personal access token found in client-side JavaScript on a subdomain. The threat group FulcrumSec exploited this token to clone private repositories, harvest additional credentials, and infiltrate deeper into the company's network. Over a span of more than two months, the attackers exfiltrated approximately 1.3TB of sensitive data, including source code, proprietary drug information, clinical trial data, internal AI models, and personal information of healthcare professionals and clinical trial participants. The breach was publicly disclosed on June 11, 2026, after unauthorized access to internal IT systems was detected. This incident highlights the critical vulnerabilities in software development pipelines, particularly concerning secrets management and the security of code repositories. The reliance on hardcoded credentials and improperly scoped access keys within development environments presents a substantial risk. Organizations are urged to treat development platforms as production systems, enforce stringent secrets management practices, and implement robust monitoring to prevent similar breaches.
Why This Matters Now
The Novo Nordisk breach underscores the urgent need for organizations to reassess and fortify their software development pipelines. As attackers increasingly target development environments to access sensitive data and intellectual property, it is imperative to implement comprehensive secrets management, enforce least-privilege access controls, and monitor machine identities rigorously to mitigate such risks.
Attack Path Analysis
Attackers gained initial access through a leaked GitHub access token, allowing them to clone private repositories. They escalated privileges by harvesting additional credentials found within these repositories. Utilizing these credentials, they moved laterally across Novo Nordisk's internal systems. The attackers established command and control channels to maintain persistent access. Over a period of more than two months, they exfiltrated approximately 1.3TB of sensitive data, including source code and clinical trial information. The breach culminated in a $25 million ransom demand, with threats to publicly release the stolen data upon non-payment.
Kill Chain Progression
Initial Compromise
Description
Attackers gained access through a leaked GitHub access token, allowing them to clone private repositories.
MITRE ATT&CK® Techniques
Valid Accounts
Application Access Token
Credentials in Files
Exploitation of Remote Services
Lateral Tool Transfer
Archive via Utility
Exfiltration Over C2 Channel
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Software Development
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Data
Control ID: Pillar 3
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
GDPR – Security of Processing
Control ID: Article 32
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Pharmaceuticals
Ransomware targeting development pipelines exposes clinical trial data, drug formulations, and AI models through compromised GitHub tokens requiring enhanced secrets management.
Biotechnology/Greentech
Software supply chain attacks via exposed access tokens threaten proprietary research data, manufacturing processes, and multi-year development programs across biotech organizations.
Computer Software/Engineering
GitHub token exposure enables lateral movement through code repositories, CI/CD pipelines, and cloud environments containing hardcoded credentials and infrastructure definitions.
Health Care / Life Sciences
Clinical trial participant data and healthcare professional records compromised through development environment breaches requiring HIPAA compliance and patient notification protocols.
Sources
- Novo Nordisk Breach Exposes Software Development Pipeline Riskhttps://www.darkreading.com/cyber-risk/novo-nordisk-breach-exposes-dev-pipeline-riskVerified
- Novo Nordisk reveals cyberattack: Ozempic and Wegovy maker says clinical trials data breachedhttps://www.techradar.com/pro/security/novo-nordisk-reveals-cyberattack-ozempic-and-wegovy-maker-says-clinical-trials-data-breachedVerified
- Novo Nordisk discloses data breach impacting clinical trial participantshttps://www.techtarget.com/healthtechsecurity/news/366644376/Novo-Nordisk-discloses-data-breach-impacting-clinical-trial-participantsVerified
- Hacking group claims major hack of Novo Nordisk and attempted $25 million extortionhttps://www.investing.com/news/stock-market-news/hacking-group-claims-major-hack-of-novo-nordisk-and-attempted-25-million-extortion-4745504Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have significantly limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-based access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to access internal systems would likely be constrained, reducing the risk of unauthorized repository cloning.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges would likely be constrained, reducing the risk of unauthorized access to sensitive systems.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally would likely be constrained, reducing the risk of widespread system compromise.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain persistent access would likely be constrained, reducing the risk of prolonged unauthorized presence.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate large volumes of data would likely be constrained, reducing the risk of significant data loss.
The attacker's ability to leverage stolen data for ransom would likely be constrained, reducing the risk of financial and reputational damage.
Impact at a Glance
Affected Business Functions
- Clinical Trials Management
- Research and Development
- Regulatory Compliance
- Patient Data Management
Estimated downtime: N/A
Estimated loss: N/A
Pseudonymized data of clinical trial participants, including patient IDs, gender, date of birth, biomarkers, health/immunogenicity data, and lifestyle factors; contact details of healthcare professionals.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement.
- • Deploy East-West Traffic Security to monitor and control internal traffic, detecting unauthorized movements.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into cloud environments and detect anomalies.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Establish Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious activities promptly.
