Novo Nordisk disclosed a breach on June 11, 2026, acknowledging unauthorized access to internal IT systems. The FulcrumSec group claims responsibility: more than two months of persistence, exfiltration of over 700,000 files totaling approximately 1.3 terabytes. According to the threat actor, initial access came via a GitHub personal access token exposed in client-side JavaScript on a little-monitored subdomain — a misconfiguration that acted as a master key to private repositories, nested credentials, and authenticated lateral movement.
- Novo Nordisk confirms pseudonymous clinical trial participant data and non-pseudonymous healthcare professional data were exposed in the breach.
- FulcrumSec claims ~1.3 TB and >700,000 files exfiltrated over 60+ days, with initial access via a GitHub token in client-side JavaScript — claims not independently confirmed by the company.
- The threat actor asserts theft of 30 trained AI models, 494 GB of cell painting microscopy images, and source code for marketed and in-development drugs; Novo Nordisk has not verified these details.
- FulcrumSec began publishing data after a $25 million ransom went unpaid; claims to be pursuing private sales of pharmaceutical IP and AI models.
The Mechanism: A Token in the Frontend, Hundreds of Repositories Exposed
The central technical element is the presence of a GitHub personal access token with elevated privileges inside JavaScript executed client-side. According to FulcrumSec, the token resided on a "dark" subdomain — an endpoint owned by Novo Nordisk but likely not subject to regular scanning or attack surface inventory. Shieldworkz corroborates the analysis: the compromised token provided initial read access to hundreds of private repositories.
From there, the attack followed a secret sprawl pattern. The cloned repositories contained additional credentials, enabling authenticated lateral movement without exploits or privilege escalation. Ed Luz, Head of Research at Oasis Security Identity, summarizes the nature of the intrusion: "The attackers didn't break through the perimeter, they were authenticated".
The measured persistence — over two months, from March to June 2026 per FulcrumSec — indicates an absence of rotation for the exposed token and likely no monitoring of cloning operations by developer accounts associated with machines or services. Shane Barney, CISO of Keeper Security, comments: "That invisibility is what turns a single exposed token into a months-long intrusion".
What Novo Nordisk Confirms and What Remains Threat Actor Claims
Novo Nordisk's official disclosure outlines a narrower perimeter than FulcrumSec's claims. The company confirms exposure of pseudonymous clinical trial participant data — patient ID, gender, date of birth, biomarkers, health/immunogenicity data, lifestyle factors — and non-pseudonymous healthcare professional data: name, registration number, practice locations, email, phone number, and WhatsApp details. These fields are stated verbatim in the corporate communication.
Shieldworkz meticulously distinguishes between confirmed facts and unverified claims. The nature and volume of AI data — 30 trained models, 70 distinct datasets, 494 GB of cell painting microscopy images — originate exclusively from FulcrumSec. The same applies to the figure of ~11,500 affected trial participants. Novo Nordisk has not responded to requests for comment on FulcrumSec or on a second intrusion claimed by TheUSERS007 between June 5 and 7.
The dossier does not specify whether GMP (Good Manufacturing Practice) or OT (Operational Technology) systems were involved. Shieldworkz reports "no evidence" of compromise in these areas. Novo Nordisk explicitly denies impact on drug production or distribution.
Algorithmic Expropriation: When the Target Is the Model, Not the Patient
If the claims about 30 AI models are accurate, the breach takes on a dimension different from traditional health data theft. FulcrumSec asserts that AI-generated analysis of the exfiltrated data could "save 3-5 years of program development" for researchers or competitors. This statement, reported by DataBreaches.Net, positions the incident as a potential case of algorithmic expropriation: the value lies in artificially accelerated IP, not just raw clinical information.
The editorial reading must be cautious: the black market for drug discovery models is not quantitatively documented in the dossier. However, the convergence of three factors makes the claim plausible in context. First, AI models in pharma represent multi-year investments with long regulatory validation cycles. Second, accelerated competitor publishing in obesity and diabetes therapies (Novo Nordisk's core sector) increases the competitive value of any temporal acceleration. Third, FulcrumSec's method of operation — private sales rather than general public leak — is consistent with a specialized buyer target rather than a mass market.
The underlying technical core is the expansion of the attack surface: software development pipelines now host ML artifacts (models, training datasets, experiment logs, microscopy images) that traditional security practices — focused on patient data and corporate networks — do not systematically cover. Matt Kimpel, CISO of Magna5, provides the interpretive frame: "Developers sit close to the systems that matter most. They have standing access to source code, build and deployment pipelines, cloud environments, and the credentials those systems use to talk to each other". He adds: "For an attacker, getting into the code repository is closer to opening the building plans than opening a file cabinet".
Institutional Parallels: When Even CISA Exposes GitHub Tokens
The Novo Nordisk case is not isolated in its error type. Between May and June 2026, CISA managed a credential exposure incident on its own GitHub repositories — including an active AWS GovCloud key pair, according to Truffle Security, for two days after initial reporting. KrebsOnSecurity documented the episode as a thematic parallel, not related to Novo Nordisk.
The structural difference lies in the outcome: CISA reacted to external reporting, while the Novo Nordisk token would have remained active long enough to enable multi-month dwell time. The common pattern is the fragility of machine identities in CI/CD flows: tokens with broad scope, embedded in frontend or configurations, often lacking centralized inventory or programmatic rotation.
What to Do Now
For organizations with development pipelines and AI assets: complete inventory of personal access tokens and service accounts with access to private repositories, mapping actual permissions rather than nominal ones. Systematic scanning of frontend attack surfaces — including historical and staging subdomains — for detection of hardcoded secrets in client-side JavaScript or exposed configurations. Programmatic rotation of high-scope tokens, regardless of compromise indicators. Monitoring of clone and pull operations from private repositories with alerting on anomalous volume or geographic origin patterns.
Recommendations derive from the documented attack mechanism analysis; they do not replace vendor-specific advisories or applicable regulatory frameworks.
Frequently Asked Questions
Why did a GitHub token allow such extensive lateral movement?
The initial token opened access to private repositories containing further credentials — a secret sprawl pattern. In environments where developers have standing access to multiple systems, a single compromised identity functions as a pivot for legitimate authentication to other services.
Are clinical data at risk of re-identification?
Novo Nordisk describes patient data as pseudonymous, with IDs replaced by synthetic identifiers. However, the combination of gender, date of birth, biomarkers, and lifestyle factors can increase re-identification risk in structured datasets, especially if cross-referenced with external data.
What is the status of the ransom and data publication?
FulcrumSec began publishing data after the $25 million ransom went unpaid. The dossier does not document further developments on publication or any contacts with authorities.
The Novo Nordisk breach places the software supply chain at the center of pharmaceutical companies' risk boards: no longer an operational periphery, but strategic territory where trade secrets, AI acceleration, and health regulation compete. If the algorithm becomes the drug, its protection requires inventory that is still missing in most corporate architectures.
Sources
- https://www.darkreading.com/cyber-risk/novo-nordisk-breach-exposes-dev-pipeline-risk
- https://www.helpnetsecurity.com/2026/06/18/42crunch-api-security-testing-plugin-for-github-copilot/
- https://krebsonsecurity.com/2026/05/lawmakers-demand-answers-as-cisa-tries-to-contain-data-leak/
- https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/
- https://shieldworkz.com/blogs/deep-dive-into-the-novo-nordisk-cyber-extortion-and-data-breach
- https://www.helpnetsecurity.com/2025/06/19/silviu-asandei-sonar-ai-code-assistants-security/
- https://krebsonsecurity.com/wp-content/uploads/2026/05/CISA-logo.png
- https://trufflesecurity.com/blog/cisa-leaked-admin-github-token-remained-live-2-days
Information verified against cited sources and current as of publication.