AstraZeneca Source Code Held for Ransom
The LAPSUS$ hacking group has resurfaced, claiming responsibility for a breach involving pharmaceutical giant AstraZeneca, with attackers attempting to sell a 3GB archive of internal data rather than immediately leaking it. Early samples suggest the dataset may include source code (Java, Angular, Python), cloud infrastructure configurations (AWS, Azure, Terraform), and sensitive credentials such as cryptographic keys and CI/CD tokens. If validated, the breach could expose critical elements of AstraZeneca’s software supply chain, internal applications, and automation pipelines, posing risks not only to data confidentiality but also to operational integrity.
Unlike traditional ransomware campaigns, this incident reflects a growing shift toward data monetization and “pay-to-access” extortion models, where attackers sell stolen data directly to buyers. The exposure of infrastructure-as-code (IaC), secrets, and pipeline credentials is particularly dangerous, as it could enable attackers or competitors to replicate environments, exploit cloud misconfigurations, or compromise downstream systems. In sectors like pharmaceuticals, where intellectual property and supply chain systems are highly valuable, such breaches can have far-reaching impacts on R&D, manufacturing, and global distribution operations.
Preventing and mitigating these attacks requires deep, unified visibility across development, cloud, and network environments. Organizations must continuously monitor code repository access logs, CI/CD pipeline activity, cloud API calls, credential usage, and network traffic patterns to detect unauthorized access to sensitive assets. By combining cloud security posture management (CSPM), SIEM/XDR analytics, and network-level forensics (flows, sessions, and packet inspection) into a single, unified platform like NIKSUN, security teams can identify credential abuse, detect anomalous data access, and stop exfiltration in real time. This approach enables organizations to protect not just data, but the entire software supply chain and cloud infrastructure lifecycle from compromise. Read more about this story on our LinkedIn page
Unlike traditional ransomware campaigns, this incident reflects a growing shift toward data monetization and “pay-to-access” extortion models, where attackers sell stolen data directly to buyers. The exposure of infrastructure-as-code (IaC), secrets, and pipeline credentials is particularly dangerous, as it could enable attackers or competitors to replicate environments, exploit cloud misconfigurations, or compromise downstream systems. In sectors like pharmaceuticals, where intellectual property and supply chain systems are highly valuable, such breaches can have far-reaching impacts on R&D, manufacturing, and global distribution operations.
Preventing and mitigating these attacks requires deep, unified visibility across development, cloud, and network environments. Organizations must continuously monitor code repository access logs, CI/CD pipeline activity, cloud API calls, credential usage, and network traffic patterns to detect unauthorized access to sensitive assets. By combining cloud security posture management (CSPM), SIEM/XDR analytics, and network-level forensics (flows, sessions, and packet inspection) into a single, unified platform like NIKSUN, security teams can identify credential abuse, detect anomalous data access, and stop exfiltration in real time. This approach enables organizations to protect not just data, but the entire software supply chain and cloud infrastructure lifecycle from compromise. Read more about this story on our LinkedIn page