Foxconn, West Pharma Hit by Ransomware in Wave of Attacks

Ransomware groups struck two major industrial manufacturers within days of each other in May 2026, with Foxconn confirming North American factory outages and West Pharmaceutical Services disclosing data exfiltration in a separate incident that began May 4. The attacks coincided with a supply chain compromise at security vendor Checkmarx and a newly documented cross-platform malware campaign targeting consumers — a cluster of incidents that illustrates the breadth of active threat activity across sectors.

Foxconn Confirms Factory Disruptions After Nitrogen Group Claims 8TB Theft

Electronics manufacturing giant Foxconn acknowledged that some of its North American factories “suffered a cyberattack” after the ransomware group Nitrogen listed the company on its dark web leak site on Monday, May 13, according to TechCrunch. Foxconn said the affected factories are “currently resuming normal production” but did not respond to specific questions about the scope of the breach.

Nitrogen claimed it stole over 11 million files — or approximately 8 terabytes of data — including product schematics, project guidelines, and bank statements tied to customers such as Apple, Dell, Google, Intel, and Nvidia, per Wired. As proof of the theft, the group published images of what appear to be internal documents on its leak site.

Nitrogen is a double-extortion group, meaning it encrypts victim files while simultaneously exfiltrating them — giving it two levers for extracting payment. Wired reported that Nitrogen emerged in 2023 and has documented connections to the ALPHV/BlackCat ransomware group. Ian Gray, vice president of intelligence at security firm Flashpoint, told Wired that his firm’s first confirmed observation of Nitrogen activity was in 2024, targeting Control Panels USA.

Foxconn’s appeal as a target is structural. The company manufactures components and complete devices — including Apple iPhones — for dozens of major technology brands, meaning a single breach can expose intellectual property from multiple Fortune 500 clients simultaneously.

Why Manufacturers Are Becoming Preferred Ransomware Targets

Allan Liska, a threat intelligence analyst at Recorded Future, told Wired that ransomware groups are “increasingly targeting victims that can impact the supply chain, whether it is physical or software.” Foxconn fits that profile precisely: it holds not just its own intellectual property but sensitive design and production data belonging to its customers.

The Foxconn attack is not the company’s first ransomware incident. The manufacturer has been targeted by ransomware actors in prior years, underscoring that repeated targeting of high-value industrial firms is a deliberate strategy rather than opportunistic.

Nitrogen’s activity has been uneven but persistent. Wired noted spikes in the group’s activity toward the end of 2024, and its focus has remained concentrated on North America and Western Europe. The group’s ALPHV/BlackCat connections are significant — ALPHV was one of the most active ransomware-as-a-service operations before law enforcement disrupted it in late 2023.

West Pharmaceutical Services Discloses Data Exfiltration in May 4 Incident

Pennsylvania-based West Pharmaceutical Services disclosed in a Monday SEC filing that attackers exfiltrated data from its systems before deploying file-encrypting ransomware, following an incident that began May 4, according to SecurityWeek. The company proactively shut down and isolated affected on-premise infrastructure as a containment measure, disrupting business operations globally.

West Pharmaceutical retained Palo Alto Networks’ Unit 42 for threat intelligence, incident response, and system restoration, and notified law enforcement. The company told the SEC it has “restored its core enterprise systems” and restarted critical shipping, receiving, and manufacturing processes at some sites, but has not finalized a timeline for complete restoration.

Key disclosures from the SEC filing include:

• Attackers exfiltrated data before deploying ransomware (double-extortion pattern)
• The company “has taken steps intended to mitigate the risk of dissemination of the exfiltrated data” — language that implies potential negotiation with attackers
• No ransomware group has publicly claimed responsibility, which SecurityWeek noted is consistent with a ransom payment having been made
• West Pharmaceutical has not yet determined whether the attack has had a material financial impact
• The type and scope of data affected remains under investigation

The company has not disclosed the specific data categories involved, leaving open questions about whether employee, customer, or manufacturing data was among the exfiltrated files.

Checkmarx Jenkins Plugin Compromised in Ongoing Supply Chain Attack

Security vendor Checkmarx warned users on Friday that a malicious version of its Jenkins AST plugin had been published to the Jenkins Marketplace, according to SecurityWeek. The plugin integrates Checkmarx’s code-scanning platform into Jenkins CI/CD pipelines — making it a high-value target for attackers seeking access to developer environments.

The incident is an extension of a supply chain attack Checkmarx has been managing since March 2026. The TeamPCP hacker gang initially accessed Checkmarx’s repositories via the Trivy supply chain attack, publishing malicious artifacts. A second wave of malicious artifacts followed approximately a month later, suggesting the attacker maintained persistent or renewed access.

The Lapsus$ extortion group subsequently published data it claimed was stolen from Checkmarx’s GitHub repositories, and Checkmarx confirmed the data was likely exfiltrated using credentials compromised through the Trivy attack.

Checkmarx has since released two updated plugin versions. Users should verify they are running version 2.0.13-848.v76e89de8a_053, now available on both GitHub and the Jenkins Marketplace. The company has not publicly disclosed how the malicious plugin version was introduced to the marketplace.

CRPx0 Malware Uses Free OnlyFans Lure for Crypto Theft and Ransomware Delivery

A separate but concurrent threat involves CRPx0, a cross-platform malware campaign analyzed by Aryaka Threat Research Labs that targets macOS and Windows systems, with Linux capabilities reportedly in development, according to SecurityWeek.

The campaign uses a social engineering lure — a file called OnlyfansAccounts.zip — to entice users seeking free access to the paid platform. The archive contains a shortcut file that appears to deliver account credentials but silently installs malware in the background.

CRPx0’s capabilities include:

• Cryptocurrency theft via clipboard monitoring — if a victim copies a wallet address, the malware substitutes the attacker’s address
• Large-scale data exfiltration to attacker-controlled command-and-control infrastructure
• Ransomware delivery as a final-stage payload
• Self-updating functionality — the malware periodically checks for newer versions and updates itself

The campaign’s design exploits a behavioral insight: users willing to seek unauthorized access to paid content have already demonstrated risk tolerance, making them more likely to execute suspicious files without scrutiny.

What This Means

The convergence of these incidents in a short window reflects a maturation in ransomware tactics rather than a surge in attacker numbers. Double-extortion — exfiltrate first, encrypt second — is now the default approach across groups ranging from Nitrogen to the unnamed actor behind the West Pharmaceutical attack. This removes the victim’s option to simply restore from backups and walk away; the threat of publishing stolen data persists independently of whether systems are recovered.

The Foxconn attack specifically highlights a structural vulnerability in contract manufacturing. When a single company holds sensitive design data for Apple, Google, Nvidia, Dell, and Intel simultaneously, it becomes a single point of failure for the intellectual property of multiple industries. Attackers have clearly recognized this leverage.

The Checkmarx supply chain compromise is a different but equally concerning pattern. Lapsus$ and TeamPCP targeting a security vendor’s own tooling — and successfully publishing malicious artifacts to a public marketplace — demonstrates that developer infrastructure remains a high-return attack surface. Organizations using Checkmarx’s Jenkins plugin should treat the compromise as a potential credential exposure event, not just a plugin update.

For the West Pharmaceutical incident, the absence of a public ransomware claim and the company’s language about mitigating “dissemination” of exfiltrated data strongly suggests a payment was made. If confirmed, it continues a pattern where critical manufacturers quietly pay rather than risk operational disruption or exposure of sensitive production data.

FAQ

What did the Nitrogen ransomware group steal from Foxconn?

Nitrogen claimed to have stolen over 11 million files — approximately 8 terabytes — from Foxconn’s North American operations, including product schematics, project guidelines, and bank statements linked to customers such as Apple, Dell, Google, Intel, and Nvidia. The group published sample documents on its dark web leak site as proof, though Foxconn has not confirmed the validity of the specific claims.

What is double-extortion ransomware and why does it matter?

Double-extortion ransomware involves attackers stealing data before encrypting it, which gives them two ways to pressure victims: demand payment to restore access, and demand a separate payment to prevent the stolen data from being published. This means restoring from backups alone does not resolve the threat, since the exfiltrated data can still be leaked or sold regardless of whether the victim recovers their systems.

How should organizations respond to the Checkmarx Jenkins plugin compromise?

Checkmarx advises users to ensure they are running version 2.0.13-848.v76e89de8a_053 of the Jenkins AST plugin, available on GitHub and the Jenkins Marketplace. Organizations should also treat the incident as a potential credential exposure event, given that the underlying attack chain involved compromised credentials from the earlier Trivy supply chain attack, and audit any systems that ran earlier plugin versions for signs of unauthorized access.