Lapsus$ Claims AstraZeneca Breach Exposed Source Code and Internal Credentials
Lapsus$ claimed it breached AstraZeneca and published allegedly stolen data on its blog and a dark web leak forum, with reports saying the cache includes full source code, employee databases, GitHub Enterprise user data, internal API keys, AWS keys, service accounts, and MongoDB and MySQL credentials. Researchers who reviewed sample files said parts of the leak appeared credible, citing source code tree structures, GitHub user information, employee details tied to AstraZeneca-related clinical research companies, and GitHub Actions logs containing developer email addresses and hardcoded secrets, including RSA private keys and database credentials.
The exposed material appears to be concentrated on AstraZeneca’s technical infrastructure and employee information rather than patient medical records, but the incident raises immediate risks if any leaked credentials remain active. Valid keys and account data could enable follow-on intrusions into AstraZeneca systems, targeted phishing and social engineering against staff, and deeper analysis of proprietary code and internal environments by attackers seeking intellectual property or additional access.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Researchers assess leaked AstraZeneca samples as partly credible
On March 23, 2026, Cybernews researchers said samples shared by the attackers appeared at least partly credible. They identified apparent GitHub user information, employee details tied to AstraZeneca-related clinical research companies, source code tree structures, and GitHub Actions logs containing developer emails and hardcoded secrets such as RSA private keys and database credentials.
Lapsus$ claims breach of AstraZeneca and posts stolen data samples
On March 23, 2026, reports said the Lapsus$ hacking group claimed to have breached AstraZeneca and published allegedly stolen data on its blog and a dark web leak forum. The group said the haul included source code, employee databases, GitHub Enterprise user data, API keys, AWS keys, service accounts, and database credentials.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
LAPSUS$ Claims AstraZeneca Breach and Offers Alleged Internal Data for Sale
A threat actor using the **LAPSUS$** name has claimed an alleged breach of **AstraZeneca** and is offering a purported **3GB** compressed dump of internal data for sale rather than releasing it publicly. Posted samples and screenshots were used to support the claim, with reports describing a pay-to-access extortion model and password-protected links containing redacted material as proof of access. The allegedly stolen data includes source code, cloud infrastructure configurations, employee and contractor-related records, and access material such as cryptographic keys, Vault credentials, and GitHub and Jenkins tokens. Analysis of the shared samples suggested that some data, including GitHub Enterprise-style user information and third-party contractor access records, appeared plausibly authentic and internally sourced, while at least one financial dataset looked generic and possibly unrelated. Public references to an internal repository tied to AstraZeneca’s supply-chain portal indicate possible exposure of systems supporting forecasting, inventory tracking, SAP integration, and OTIF delivery metrics. The most serious risk would come from any genuine secrets, private keys, or cloud configuration data, but the breach claim and full scope of the exposed material remained unverified, and AstraZeneca had not publicly confirmed the incident at the time of reporting.
Mar 25, 2026
Checkmarx Confirms Dark Web Leak of Data Taken From Internal GitHub Repository
Checkmarx said data stolen during its March supply chain intrusion has been published on the dark web, with investigators tracing the exposure to a corporate GitHub repository accessed during the initial attack. The company said the affected repository was part of its developer environment, not its customer production environment, and that current evidence indicates customer data was not stored there and remains unaffected. The disclosure follows reports that **LAPSUS$** listed Checkmarx on its leak site and claimed to possess source code, an employee database, API keys, and `MongoDB` and `MySQL` credentials. Checkmarx said it has locked down access to the repository and is continuing forensic analysis to determine exactly what source code or internal documentation was exfiltrated, while warning that the incident is part of a broader supply chain attack chain that also involved tampered GitHub Actions workflows, Open VSX plugins, and other developer tooling tied to the earlier compromise.
May 12, 2026
LexisNexis Legal & Professional AWS Breach and FulcrumSec Data Leak
**LexisNexis Legal & Professional** confirmed that an unauthorized party accessed a limited number of its servers after a threat actor using the alias **FulcrumSec** leaked roughly **2 GB** of allegedly stolen files on underground forums. LexisNexis stated the exposed information was **mostly legacy/deprecated data from prior to 2020** (e.g., customer names, user IDs, business contact details, products used, customer survey data including respondent IP addresses, and support tickets) and said it found **no evidence of impact to products or services**; the company reported the matter to law enforcement and engaged an external forensics firm. FulcrumSec claimed the intrusion began by exploiting the **React2Shell** vulnerability in an **unpatched React frontend application** to gain access to LexisNexis’ **AWS** environment, and alleged broader access within cloud resources (including an ECS task role and data stores) and the presence of government-related accounts (e.g., `.gov` email addresses) in the stolen dataset. Public reporting notes a discrepancy between the actor’s claims (e.g., “millions of records,” passwords, and other internal artifacts) and LexisNexis’ characterization of the exposed data as limited and non-sensitive (no SSNs, financial data, active passwords, or customer search queries), but multiple outlets corroborated that the leaked files are tied to a real, now-contained incident affecting LexisNexis’ Legal & Professional division.
Mar 21, 2026