Foxconn, West Pharma Hit by Ransomware in May 2026

Ransomware groups claimed two high-profile victims in May 2026: electronics manufacturing giant Foxconn and Pennsylvania-based West Pharmaceutical Services, while a separate malware campaign dubbed CRPx0 began targeting macOS and Windows users through fake OnlyFans lures. The incidents underscore a sustained escalation in double-extortion attacks against manufacturers and critical supply chain operators.

Foxconn Confirms North American Factory Outages

Foxconn — the contract manufacturer behind iPhones, Nvidia components, and devices for Google, Dell, and Sony — confirmed on Monday that a cyberattack disrupted operations at several of its North American facilities. In a statement sent to media outlets, the company said the affected factories are “currently resuming normal production” but did not specify the duration of the outages or which facilities were hit.

The ransomware group Nitrogen claimed responsibility, listing Foxconn on its dark web leak site on May 13, 2026, according to TechCrunch. Nitrogen claims to have stolen over 11 million files and 8 terabytes of data, including product schematics, project documentation, and bank statements belonging to Foxconn customers. As proof, the group published images purporting to show schematics and internal documents tied to Apple, Dell, Google, Intel, and Nvidia.

Foxconn did not respond to specific questions from TechCrunch or WIRED about the validity of those claims. Nitrogen operates as a double-extortion group — it encrypts files to lock victims out of their own systems while simultaneously exfiltrating data, giving it two distinct points of leverage in ransom negotiations.

Who Is the Nitrogen Ransomware Group?

Nitrogen emerged in 2023 and has maintained steady activity since, with a notable spike at the end of 2024, according to WIRED. The group primarily targets organizations in North America and Western Europe.

Security researchers have flagged connections between Nitrogen and the now-disrupted ALPHV/BlackCat ransomware operation. Ian Gray, vice president of intelligence at Flashpoint, told WIRED that Flashpoint’s first confirmed observation of Nitrogen activity was in 2024, when the group targeted Control Panels USA.

Allan Liska, a threat intelligence analyst at Recorded Future, told WIRED that supply chain manufacturers are an increasingly deliberate target category. “Ransomware groups are increasingly targeting victims that can impact the supply chain, whether it is physical or software,” Liska said. “So it’s unsurprising that a company like Foxconn would be targeted, since it does manufacturing and holds sensitive data for so many companies around the world.”

Foxconn’s appeal to attackers is structural: as a contract manufacturer for dozens of major technology brands, it holds not only its own intellectual property but sensitive customer files — schematics, product roadmaps, financial records — that carry independent extortion value.

West Pharmaceutical Services: SEC Filing Confirms Data Theft

On the same week Foxconn’s breach became public, West Pharmaceutical Services disclosed a separate ransomware incident in a filing with the Securities and Exchange Commission. According to SecurityWeek, the attack occurred on May 4, 2026, and prompted the company to proactively shut down and isolate affected on-premise infrastructure — a containment move that disrupted business operations globally.

West Pharmaceutical retained Palo Alto Networks’ Unit 42 for incident response, containment, and investigation, and notified law enforcement. The company told the SEC that attackers exfiltrated data before deploying file-encrypting ransomware — the same double-extortion sequence used in the Foxconn incident.

Key details from the SEC filing:

• Core enterprise systems have been restored
• Shipping, receiving, and manufacturing have restarted at some sites
• Restoration of remaining sites is still in progress
• A complete restoration timeline has not been finalized
• The company has “taken steps intended to mitigate the risk of dissemination of the exfiltrated data”

That last point is significant. SecurityWeek noted that no known ransomware group has publicly claimed responsibility for the West Pharmaceutical attack — an absence that often indicates a ransom payment was made. The company has not confirmed or denied any payment, and said it has yet to determine whether the attack has had a material impact on its financial condition.

CRPx0: A Separate Campaign Targeting Crypto and Data

Beyond the two high-profile corporate breaches, a newly documented malware campaign called CRPx0 is targeting individual users across macOS and Windows, with Linux capabilities reportedly in development. According to SecurityWeek, the campaign was analyzed in detail by Aryaka Threat Research Labs.

The initial lure is a fake offer of free OnlyFans account credentials, distributed as a ZIP file called `OnlyfansAccounts.zip`. Inside is a Windows shortcut file (`.lnk`) that appears to deliver the promised credentials — a file titled `Accounts.txt` listing “50 working Onlyfans accounts” — while silently installing the malware in the background.

CRPx0 operates in three stages:

• Cryptocurrency theft: The malware monitors the system clipboard continuously. When a victim copies a crypto wallet address, the malware swaps it for an attacker-controlled address, redirecting any transaction.
• Data exfiltration: Large-scale collection of files from the infected system.
• Ransomware delivery: A final-stage payload that encrypts files on the host.

The malware also checks in with its command-and-control server periodically to download and install newer versions of itself — a self-updating mechanism that complicates detection and remediation.

The social engineering logic here is deliberate: users actively seeking unauthorized access to paid content have already demonstrated a tolerance for risk, making them more likely to execute unfamiliar files without scrutiny.

What This Means

The Foxconn and West Pharmaceutical attacks, taken together, illustrate a maturing ransomware economy in which supply chain position is itself a threat multiplier. Foxconn’s value to attackers is not just its own revenue — it’s the leverage that comes from holding Apple schematics, Nvidia component data, and Dell project files simultaneously. A single breach becomes a multi-party extortion event.

The apparent absence of a public claim in the West Pharmaceutical case — and the company’s language around “mitigating dissemination” of stolen data — points to a likely ransom negotiation, which in turn funds the next round of attacks. This cycle is well-documented and increasingly difficult to interrupt.

The CRPx0 campaign adds a different dimension: consumer-facing malware that uses social engineering to bypass technical defenses entirely. No zero-day is needed when the victim willingly executes the payload. The self-updating architecture means that by the time a signature is written, the malware may have already rotated.

For organizations in manufacturing and pharmaceutical supply chains specifically, the risk profile has shifted. It is no longer sufficient to secure your own data — the sensitivity of customer data you hold creates liability that attackers are actively pricing into their targeting decisions.

FAQ

What did Nitrogen steal from Foxconn?

Nitrogen claims to have stolen over 11 million files totaling 8 terabytes of data, including product schematics, project documentation, and bank statements tied to Foxconn customers such as Apple, Dell, Google, Intel, and Nvidia. Foxconn has not confirmed or denied the specific contents of the stolen data.

Did West Pharmaceutical Services pay the ransom?

West Pharmaceutical Services has not confirmed any ransom payment. However, SecurityWeek noted that no ransomware group has publicly claimed responsibility for the attack — which often signals that a payment was made — and the company’s SEC filing stated it took steps to “mitigate the risk of dissemination of the exfiltrated data,” language consistent with a negotiated resolution.

How does the CRPx0 malware work?

CRPx0 spreads through fake OnlyFans credential files and, once installed, steals cryptocurrency by swapping wallet addresses copied to the clipboard, exfiltrates data from the infected machine, and ultimately delivers a ransomware payload. It also updates itself automatically by checking in with attacker-controlled servers, making it harder to detect and remove with static antivirus signatures.