
Pharmaceutical companies carry a data-risk profile that most enterprise security frameworks were not built to handle: drug candidate libraries and clinical trial records cannot be re-encrypted or rotated after theft the way credentials can. This pharmaceutical data breach illustrates that gap. FulcrumSec, a cyber extortion group that emerged in October 2025 specializing in high-speed cloud database exfiltration, claimed in June 2026 to have spent more than two months inside Novo Nordisk’s networks. The Danish pharmaceutical company is best known for its GLP-1 weight-loss drug franchise. The group extracted roughly 1.3 TB of drug research, clinical trial information, and internal AI models. When the company refused a $25 million extortion demand, FulcrumSec began exploring private sale of the stolen assets.
1.3TB Taken from Novo Nordisk: Drug Candidates, Trial Records, and AI Models
Novo Nordisk disclosed the intrusion on June 11, 2026, confirming that core business operations remained unaffected and that authorities had been notified. The scope FulcrumSec described in its dark web posting was specific: 4,750 source code repositories, more than 41,000 proprietary drug substances, 30 trained AI models, and 73 research datasets. The group also claimed manufacturing recipes for at least one major drug. Records on roughly 163,000 employees were included, along with data on 11,500 pseudonymized clinical trial patients: sex, year of birth, biomarkers, immunogenicity readings, BMI, smoking status, and alcohol usage. Patient names were not exposed; identifiers were alphanumeric codes.
A second actor, operating under the handle TheUSERS007, separately claimed a breach of Novo Nordisk systems on June 5-7, 2026, using malware it called “venomware” and demanding $50 million. FulcrumSec acknowledged the second claim as potentially credible. Whether the two actors shared an access window or exploited separate entry points remains unclear.
Why a GitHub Token in Client-Side JavaScript Was Enough
FulcrumSec traced its initial foothold to credentials left in client-side JavaScript on two Novo Nordisk subdomains: Azure container registry credentials and GitHub personal access tokens embedded in front-end code bundles. From those tokens, the group cloned internal repositories and extracted additional login credentials, then moved laterally across hundreds of systems. The security team detected the intrusion in GitHub accounts after approximately two weeks and in the Azure environment after approximately three weeks. By that point, the exfiltration was complete.
The initial vector was not sophisticated. Secrets leaked into client-side JavaScript is a documented developer-workflow failure that static application security testing (SAST) tools and secrets-scanning pipelines are built to catch. FulcrumSec did not need a zero-day. It needed a single misconfigured bundle that had not been scanned. That one oversight opened access to four months of lateral movement across an R&D environment holding some of the most commercially sensitive data in the pharmaceutical sector.
Three Controls That Would Have Contained the FulcrumSec Intrusion
The attack chain collapses at three distinct points before exfiltration began. Closing any one of them changes the outcome.
Scan front-end build artifacts for embedded secrets before deployment – FulcrumSec’s entire foothold rested on credentials in a JavaScript bundle that reached production. Tools such as Gitleaks, Trufflehog, and the GitHub secret-scanning API detect token patterns at commit time and in CI/CD pipelines. Organizations handling clinical trial data under Good Clinical Practice (GCP) frameworks should treat a secrets-scanning gate in the deployment pipeline as a required validation step: a secret that exits the build should fail the build.
Apply least-privilege scoping to GitHub personal access tokens and container registry credentials – FulcrumSec used the stolen tokens to clone 4,750 repositories and traverse Azure container infrastructure. Both capabilities indicate tokens with broad read scope across the entire organization. Scoping GitHub personal access tokens (PATs) to specific repositories, rotating them on a 90-day cycle, and replacing them with GitHub Apps where possible limits the blast radius of any single leaked credential. A token scoped to one subdomain cannot clone the entire enterprise repository tree.
Apply behavioral detection to R&D repositories as a tier-1 privileged environment – The two-week detection lag in GitHub and three-week lag in Azure show that FulcrumSec’s clone volume and container pull activity fell below the alert threshold. Drug candidate libraries and clinical trial data deserve the same behavioral baselining — anomaly detection on clone volume, geographic access patterns, and off-hours container pulls — that financial services firms apply to trading infrastructure. Any pharmaceutical data breach exfiltrating 1.3 TB over eight weeks should fire an alert long before it reaches that volume.
Disclosure: this story was developed from research provided by FischTank PR.
Join our LinkedIn group Information Security Community!















