Foxconn, West Pharma Hit by Ransomware in Busy Attack Week

Three separate ransomware and supply chain incidents dominated cybersecurity news this week, with electronics giant Foxconn, pharmaceutical packaging firm West Pharmaceutical Services, and security toolmaker Checkmarx all disclosing active or ongoing attacks. The incidents collectively involved data theft claims exceeding 8 terabytes, a compromised developer plugin used by thousands of CI/CD pipelines, and a double-extortion group with ties to the defunct ALPHV/BlackCat operation.

Foxconn Confirms North American Factory Outages

Foxconn, the Taiwan-based contract manufacturer that produces hardware for Apple, Google, Nvidia, Dell, and Sony, confirmed on Monday that a cyberattack disrupted operations at North American factories. According to TechCrunch, the company said in a statement that “the affected factories are currently resuming normal production.”

The ransomware gang Nitrogen claimed responsibility on its dark web leak site, asserting it stole over 11 million files — including product schematics, project guidelines, and bank statements tied to Foxconn customers. Wired reported the group claims to have exfiltrated 8 terabytes of data in total.

As proof, Nitrogen published images it claims show confidential materials from Apple, Dell, Google, Intel, and Nvidia. Foxconn did not respond to specific questions from either outlet about the validity of those claims or whether a ransom demand had been issued.

Nitrogen operates as a double-extortion group: it encrypts files to disrupt operations, then threatens to publish stolen data to pressure victims into paying. The group has been active since 2023, though Flashpoint VP of intelligence Ian Gray told Wired that his firm’s first confirmed observation of Nitrogen activity was in 2024, when it targeted Control Panels USA.

Why Foxconn Is a High-Value Ransomware Target

Foxconn’s scale and role in global electronics manufacturing make it an attractive target for extortion actors. The company doesn’t just hold its own intellectual property — it holds the IP of dozens of major technology clients, including device schematics and production specifications.

Allan Liska, a threat intelligence analyst at Recorded Future, told Wired that “ransomware groups are increasingly targeting victims that can impact the supply chain, whether it is physical or software.” He added that Foxconn’s role as a manufacturer holding sensitive data for companies worldwide makes it an unsurprising mark.

Nitrogen also has documented connections to the ALPHV/BlackCat ransomware group, one of the most destructive ransomware operations before its collapse in early 2024. That lineage suggests a level of operational sophistication above typical extortion-only groups.

Foxconn has not confirmed the scope of stolen data, whether customer data was actually compromised, or whether it has engaged with the attackers.

West Pharmaceutical Services Discloses SEC Filing After May 4 Attack

Pennsylvania-based West Pharmaceutical Services, which manufactures drug delivery systems and packaging for the pharmaceutical industry, disclosed a ransomware attack in a filing with the U.S. Securities and Exchange Commission this week. According to SecurityWeek, the incident occurred on May 4 and prompted a “proactive shutdown and isolation of affected on-premise infrastructure.”

The company retained Palo Alto Networks’ Unit 42 for containment, system restoration, and investigation, and notified law enforcement. Core enterprise systems have been restored, and shipping, receiving, and manufacturing have restarted at some facilities — but a complete restoration timeline has not been finalized.

West Pharmaceutical told the SEC that attackers exfiltrated data before deploying file-encrypting ransomware, a sequencing consistent with double-extortion tactics. The company said it “has taken steps intended to mitigate the risk of dissemination of the exfiltrated data” — language that SecurityWeek noted implies possible negotiation with the attackers.

No ransomware group has publicly claimed responsibility for the West Pharmaceutical attack, and the company has not identified the threat actor. SecurityWeek reported that the absence of a public claim further suggests a ransom may have been paid. West Pharmaceutical has not yet determined whether the attack will have a material impact on its financials.

Checkmarx Jenkins Plugin Compromised in Ongoing Supply Chain Attack

Security firm Checkmarx disclosed on Friday that a malicious version of its Jenkins AST plugin was published to the Jenkins Marketplace as part of a continuing supply chain attack. According to SecurityWeek, the plugin integrates Checkmarx’s code scanning platform into Jenkins CI/CD pipelines — meaning a compromised version could intercept source code scans across affected development environments.

The incident traces back to March 2025, when the TeamPCP hacker gang exploited the Trivy supply chain attack to access Checkmarx’s repositories and publish malicious build artifacts. A second wave of malicious artifacts followed roughly a month later, suggesting the attackers maintained or regained access.

The Lapsus$ extortion group subsequently published data it claimed was stolen from Checkmarx’s GitHub repositories during the March breach. Checkmarx confirmed the data was likely authentic and traced the credential compromise to the Trivy attack.

Checkmarx released two new plugin versions over the weekend. Users should confirm they are running version 2.0.13-848.v76e89de8a_053, now available on both GitHub and the Jenkins Marketplace. The company has not disclosed how the malicious plugin version was published or how many users may have installed it.

CRPx0 Malware Uses OnlyFans Lure for Crypto Theft and Ransomware

A separate campaign documented by Aryaka Threat Research Labs uses a fake OnlyFans account offer to distribute CRPx0, a cross-platform malware targeting macOS and Windows systems, with Linux capabilities reportedly in development.

According to SecurityWeek, the attack chain begins with a file called `OnlyfansAccounts.zip`, which contains a shortcut file that installs malware while displaying a fake credential list. The malware then establishes persistence, phones home to a command-and-control server, and self-updates.

CRPx0 executes three primary payloads:

• Cryptocurrency theft via clipboard monitoring — the malware replaces copied wallet addresses with attacker-controlled addresses in real time
• Data exfiltration at scale
• Ransomware deployment as a final stage

The campaign’s social engineering logic is deliberate: users seeking unauthorized free access to a paid platform have already signaled a tolerance for risk, making them more likely to execute unfamiliar files without scrutiny.

What This Means

This week’s incidents reflect two distinct but converging threat trends. The Foxconn and West Pharmaceutical attacks illustrate how double-extortion ransomware has matured into a reliable monetization model — encrypt, exfiltrate, then apply pressure through both operational disruption and threatened data publication. The fact that neither company has publicly named a responsible group, and that West Pharmaceutical signaled possible negotiation in SEC language, suggests the extortion model continues to work.

The Checkmarx supply chain attack is a different category of concern. A compromised plugin in a widely used CI/CD platform like Jenkins doesn’t just affect one company — it potentially affects every organization that pulled the malicious version into their build pipeline. The involvement of both TeamPCP and Lapsus$ in a sustained, multi-month campaign against a single security vendor suggests targeted persistence rather than opportunistic access.

Together, these incidents reinforce that ransomware actors are deliberately targeting organizations positioned within larger supply chains — manufacturers like Foxconn that hold third-party IP, security toolmakers like Checkmarx whose products touch thousands of downstream pipelines. The attack surface is the relationship, not just the organization.

FAQ

What is the Nitrogen ransomware group?

Nitrogen is a double-extortion ransomware gang that has been active since 2023, primarily targeting organizations in North America and Western Europe. The group has documented connections to the ALPHV/BlackCat ransomware operation and claimed responsibility for the Foxconn breach in May 2026.

What should Jenkins users do after the Checkmarx plugin compromise?

Users should verify they are running Checkmarx Jenkins AST plugin version 2.0.13-848.v76e89de8a_053, the clean version released over the weekend and available on GitHub and the Jenkins Marketplace. Organizations that may have run the compromised version should audit their build pipelines for signs of unauthorized access or artifact tampering.

Did West Pharmaceutical Services pay a ransom?

West Pharmaceutical has not confirmed or denied paying a ransom. However, the company’s SEC filing stated it “has taken steps intended to mitigate the risk of dissemination of the exfiltrated data,” and SecurityWeek noted that no ransomware group has publicly claimed the attack — both indicators that a negotiated payment may have occurred.