Foxconn, West Pharma, Trellix Hit by Ransomware

A wave of ransomware attacks struck major industrial and technology companies in May 2026, with Foxconn, West Pharmaceutical Services, and cybersecurity firm Trellix each confirming breaches within days of one another. The incidents collectively exposed customer schematics, enterprise data, and source code repositories — and in at least one case, prompted a global operational shutdown.

Nitrogen Group Claims 8TB Stolen from Foxconn

Foxconn, the electronics manufacturing giant that produces devices and components for Apple, Google, Nvidia, Dell, and Sony, confirmed on Monday that a cyberattack affected its North American factories. According to TechCrunch, the ransomware gang Nitrogen claimed responsibility on its dark web leak site, stating it stole over 11 million files — including confidential customer data, product schematics, project guidelines, and bank statements.

Wired reported the group claims to have exfiltrated 8 terabytes of data, and published screenshots as proof of access. Foxconn said in a statement to media that “the affected factories are currently resuming normal production,” but did not respond to specific questions about the scope of the breach or whether a ransom demand had been received.

Nitrogen is a double-extortion group, meaning it both encrypts victims’ files and exfiltrates data before deploying ransomware — giving it two leverage points. Allan Liska, threat intelligence analyst at Recorded Future, told Wired that “ransomware groups are increasingly targeting victims that can impact the supply chain, whether it is physical or software,” adding that Foxconn’s role as a global manufacturing contractor for dozens of major brands makes it a high-value target.

Nitrogen emerged in 2023 and has connections to the ALPHV/BlackCat ransomware group, according to Ian Gray, vice president of intelligence at Flashpoint, who told Wired the firm’s first confirmed observation of Nitrogen’s activity was in 2024, targeting Control Panels USA.

West Pharmaceutical Services Shuts Down Global Infrastructure

On May 4, Pennsylvania-based West Pharmaceutical Services was hit by a ransomware attack that forced the company to shut down and isolate affected on-premise infrastructure globally. In a Monday filing with the SEC, the company said the containment measures disrupted business operations worldwide, according to SecurityWeek.

West Pharmaceutical retained Palo Alto Networks’ Unit 42 for incident response, containment, and investigation, and notified law enforcement. Core enterprise systems have since been restored, and shipping, receiving, and manufacturing have restarted at some sites — but the company said a complete restoration timeline has not been finalized.

The company confirmed to the SEC that attackers exfiltrated data before deploying file-encrypting ransomware, and that it is investigating the scope of affected data. West Pharmaceutical said it “has taken steps intended to mitigate the risk of dissemination of the exfiltrated data” — language that SecurityWeek noted is consistent with ransom negotiation activity. No ransomware group has publicly claimed responsibility for the attack, which further suggests a payment may have been made.

The company has not yet determined whether the attack will have a material impact on its financial results.

RansomHouse Claims Breach of Cybersecurity Firm Trellix

In a separate incident, the RansomHouse ransomware group named cybersecurity firm Trellix on its leak site, claiming to have breached part of the company’s source code repository. Trellix acknowledged the incident on its website, stating that “based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited,” according to SecurityWeek.

RansomHouse published screenshots appearing to show access to Trellix’s internal services and management dashboards but did not specify the volume of data stolen. Trellix told SecurityWeek it is aware of the claims and is investigating.

The timing of the Trellix breach raised questions about a possible link to a broader supply chain attack connected to hacker groups TeamPCP and Lapsus$, which has also affected Checkmarx, Aqua Security, and Bitwarden. That connection has not been confirmed. RansomHouse, which emerged in 2022, operates primarily as a ransomware-as-a-service provider and currently lists more than 170 victims on its Tor-based leak site.

Checkmarx Jenkins Plugin Compromised in Supply Chain Attack

The supply chain thread running through several of these incidents traces back to a March 2026 attack on the Trivy project. As SecurityWeek reported, the TeamPCP hacker gang used credentials compromised through that attack to access Checkmarx’s repositories and publish malicious artifacts.

On Friday, Checkmarx warned users that a malicious version of its Jenkins AST plugin — which integrates the Checkmarx One platform into Jenkins CI/CD pipelines — had been published to the Jenkins Marketplace. The company told users to ensure they are running version 2.0.13-829.vc72453fa1c16, published in December 2025, and over the weekend released two updated clean versions, with the latest being 2.0.13-848.v76e89de8a053, available on GitHub and the Jenkins Marketplace.

Lapsus$ subsequently published data allegedly stolen from Checkmarx’s GitHub repositories, which Checkmarx confirmed was likely taken in late March using the compromised Trivy credentials. The cascading nature of the attack — one supply chain compromise enabling access to multiple downstream targets — illustrates how a single credential theft can propagate across the software ecosystem.

What This Means

This cluster of incidents reflects two overlapping trends that security researchers have tracked for several years but which are now producing visible, simultaneous damage at scale.

First, ransomware groups are deliberately selecting targets with large third-party data footprints. Foxconn is not merely a target because of its own intellectual property — it holds schematics, product specifications, and financial documents from Apple, Google, Nvidia, Dell, and others. Breaching one company yields leverage over dozens. West Pharmaceutical Services, a critical supplier to the pharmaceutical industry, carries similar third-party risk. The logic is straightforward: the more sensitive the downstream customer data, the more pressure exists to pay.

Second, the supply chain attack vector — demonstrated most clearly in the Checkmarx-Trivy-TeamPCP chain — shows that credential theft at one node can propagate silently across interconnected development pipelines for weeks before detection. The March-to-May timeline of the Checkmarx incident, and the potential link to the Trellix breach, suggests that initial access obtained through a single compromised open-source project may still be yielding new victims months later.

For enterprises, the practical implication is that perimeter defense is insufficient when third-party software components, manufacturing partners, and shared development infrastructure are all potential entry points. Unit 42’s engagement at West Pharmaceutical and the multi-firm response to the supply chain attacks signal growing demand for specialized incident response — but the reactive posture remains the norm.

FAQ

What is the Nitrogen ransomware group?

Nitrogen is a double-extortion ransomware group that emerged in 2023 and primarily targets organizations in North America and Western Europe. It has known connections to the ALPHV/BlackCat ransomware group, and according to Flashpoint’s Ian Gray, was first observed in activity targeting Control Panels USA in 2024.

What data did hackers steal from Foxconn?

The Nitrogen group claims to have stolen over 11 million files totaling 8 terabytes, including product schematics, project guidelines, and bank statements belonging to Foxconn customers such as Apple, Dell, Google, Intel, and Nvidia. Foxconn has not confirmed or denied the specifics of the stolen data.

What is a supply chain attack and how did it affect Checkmarx?

A supply chain attack compromises a trusted piece of software or infrastructure to gain access to downstream users or systems. In Checkmarx’s case, the TeamPCP group used credentials stolen through the Trivy open-source project breach to access Checkmarx’s repositories in March 2026, then published malicious versions of its Jenkins AST plugin to the Jenkins Marketplace — potentially exposing any developer who installed the compromised plugin.