Foxconn Ransomware Attack Exposes Apple, NVIDIA Customer

Foxconn confirmed Monday that ransomware hackers breached its North American facilities and potentially stole confidential data from major tech customers including Apple, Google, and NVIDIA. The Nitrogen ransomware group claimed responsibility for the attack, alleging it stole over 11 million files totaling 8 terabytes of data.

According to TechCrunch, Foxconn acknowledged the cyberattack affected facilities in North America, stating that “the affected factories are currently resuming normal production.” The electronics manufacturing giant produces devices and components for Apple, Google, NVIDIA, Sony, and other major technology companies.

Stolen Data Includes Customer Schematics

Nitrogen published proof of the breach on its dark web leak site, displaying what appear to be product schematics, guidelines, and bank statements from Foxconn customers. Wired reported the hackers claim to have accessed sensitive data from Dell, Google, Apple, and NVIDIA projects.

The ransomware group operates as a double-extortion outfit, meaning attackers both encrypt victim files and steal data before deployment. This dual approach gives Nitrogen two monetization strategies: ransom payments for file decryption and additional extortion threats around data publication.

Nitrogen emerged in 2023 and primarily targets victims in North America and Western Europe. According to Flashpoint’s Ian Gray, the group has connections to the notorious ALPHV/BlackCat ransomware operation and has been “steadily active with some spikes, including at the end of 2024.”

Supply Chain Targeting Trend Accelerates

The Foxconn breach represents a growing trend of ransomware groups targeting supply chain companies to maximize impact and extortion potential. “Ransomware groups are increasingly targeting victims that can impact the supply chain, whether it is physical or software,” Allan Liska, threat intelligence analyst at Recorded Future, told Wired.

Foxconn’s position as a key manufacturing contractor makes it particularly attractive to cybercriminals. The company holds not only its own intellectual property but also sensitive customer data from device schematics to project timelines. This concentration of valuable information from multiple major technology companies amplifies the potential damage from a successful breach.

The attack follows a pattern of supply chain compromises affecting cybersecurity firms. SecurityWeek reported that Checkmarx’s Jenkins AST plugin was compromised in March, with the TeamPCP hacker gang and Lapsus$ extortion group subsequently accessing the company’s repositories and publishing malicious artifacts.

Cybersecurity Firms Also Under Siege

The Foxconn incident coincides with multiple ransomware attacks targeting cybersecurity companies themselves. RansomHouse claimed responsibility for breaching Trellix’s source code repository, according to SecurityWeek. The group published screenshots showing access to internal services and management dashboards.

Trellix acknowledged the breach, stating that “part of its source code repository had been breached” but found “no evidence that our source code release or distribution process was affected.” The company promised additional details after completing its investigation.

Meanwhile, West Pharmaceutical Services disclosed a May 4 ransomware attack that prompted “proactive shutdown and isolation of affected on-premise infrastructure.” The company’s SEC filing revealed attackers exfiltrated data before deploying encryption malware, disrupting global business operations.

Recovery Efforts and Incident Response

West Pharmaceutical retained Palo Alto Networks’ Unit 42 team for containment and investigation. The company told the SEC it “has taken steps intended to mitigate the risk of dissemination of the exfiltrated data,” suggesting possible ransom negotiations. Core enterprise systems have been restored, with manufacturing operations resuming at some sites.

Checkmarx responded to its supply chain compromise by releasing updated versions of its compromised Jenkins plugin. The latest iteration, version 2.0.13-848.v76e89de8a_053, is now available on GitHub and the Jenkins Marketplace. The company advised users to verify they’re running the legitimate December 2025 version rather than the malicious variant.

Foxconn has not disclosed specific recovery timelines or whether ransom demands were made. The company’s acknowledgment of the attack came only after Nitrogen publicly listed Foxconn on its breach site Monday.

What This Means

The Foxconn breach highlights the expanding attack surface created by complex manufacturing supply chains. When a single contractor holds sensitive data from multiple major technology companies, successful breaches can expose intellectual property across entire industry segments. The 11 million files allegedly stolen represent not just Foxconn’s operational data but potentially years of product development from Apple, Google, NVIDIA, and other customers.

Ransomware groups increasingly recognize that supply chain targets offer maximum leverage for extortion. Rather than attacking individual companies, compromising shared service providers or manufacturers can impact dozens of downstream organizations simultaneously. This multiplier effect makes companies like Foxconn attractive targets despite their typically robust security investments.

The simultaneous attacks on cybersecurity firms like Trellix and Checkmarx suggest coordinated campaigns or shared intelligence among threat actors. When security companies themselves become victims, it undermines confidence in the broader cybersecurity ecosystem and potentially exposes defensive tools and techniques.

FAQ

What type of data did hackers steal from Foxconn?

Nitrogen claims to have stolen over 11 million files including product schematics, project guidelines, and bank statements from major customers like Apple, Google, and NVIDIA. The total alleged data theft amounts to 8 terabytes of information.

How does double-extortion ransomware work?

Double-extortion groups like Nitrogen both encrypt victim files and steal data before deployment. This gives attackers two leverage points: victims must pay to decrypt files and face additional extortion threats if stolen data might be published online.

Why are supply chain companies targeted by ransomware?

Supply chain companies hold sensitive data from multiple customers, making them high-value targets. A single successful breach can impact dozens of downstream organizations, giving ransomware groups maximum leverage for extortion payments.