FulcrumSec Claims Arup Breach Exposed GitHub Repos, Cloud Data, and Client Projects
FulcrumSec has claimed responsibility for breaching UK engineering firm Arup Group and stealing large volumes of data, later listing the company on its Tor leak site. According to the threat actor’s account, the intrusion began in September 2025 after attackers found a GitHub personal access token hardcoded in a JavaScript file on a forgotten Arup subdomain, which allegedly opened access to more than 10,000 private repositories and led to additional credentials in code. The group said it exfiltrated about 700GB of GitHub repositories, 2TB of Azure and AWS S3 data, database backups, source code, and other internal material before credentials were rotated.
The stolen data allegedly included sensitive information tied to major clients and infrastructure projects, including HS2-related repositories, Euston Station design files, archaeological GPS coordinates, Neuron BMS and Odoo ERP data, Apple code-signing certificates with plaintext passwords, and GCP payment gateway credentials. FulcrumSec said Arup detected parts of the intrusion roughly six weeks after initial access but that the attackers retained visibility into the environment for months, analyzing the haul before contacting the company in April 2026. The incident underscores the downstream risk posed by hardcoded secrets, forgotten internet-facing assets, delayed credential rotation, and weak monitoring of source-code and cloud environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
FulcrumSec contacts Arup after analyzing allegedly stolen data
The threat actor claimed it spent months analyzing exfiltrated material and then contacted Arup in April 2026 regarding the breach and stolen data.
FulcrumSec allegedly gains initial access to Arup via exposed GitHub token
According to FulcrumSec's claims, the intrusion began in September 2025 when the group found a GitHub personal access token hardcoded in a JavaScript file on a forgotten Arup subdomain, enabling access to private repositories and additional credentials.
Hudson Rock-linked infostealer exposure for Arup is publicly listed
On 2026-05-10, a public intelligence listing reported alleged infostealer-related compromise data associated with Arup Group and attributed the discovery to Hudson Rock. The entry claimed 75 compromised employees, 855 compromised users, and 92 third-party employee credentials.
FulcrumSec lists Arup on its Tor leak site
On 2026-05-10, FulcrumSec publicly named UK engineering firm Arup Group on its Tor leak site and claimed to have stolen large volumes of GitHub, cloud, database, source code, and client-related data.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
UK Cybercrime Journal: Arup Group Breached by FulcrumSec - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceRansomware.live - Victim: Arup Group
ransomware.live
Open sourceUK Cybercrime Journal: Arup Group Breached by FulcrumSec
blog.bushidotoken.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
LexisNexis Legal & Professional AWS Breach and FulcrumSec Data Leak
**LexisNexis Legal & Professional** confirmed that an unauthorized party accessed a limited number of its servers after a threat actor using the alias **FulcrumSec** leaked roughly **2 GB** of allegedly stolen files on underground forums. LexisNexis stated the exposed information was **mostly legacy/deprecated data from prior to 2020** (e.g., customer names, user IDs, business contact details, products used, customer survey data including respondent IP addresses, and support tickets) and said it found **no evidence of impact to products or services**; the company reported the matter to law enforcement and engaged an external forensics firm. FulcrumSec claimed the intrusion began by exploiting the **React2Shell** vulnerability in an **unpatched React frontend application** to gain access to LexisNexis’ **AWS** environment, and alleged broader access within cloud resources (including an ECS task role and data stores) and the presence of government-related accounts (e.g., `.gov` email addresses) in the stolen dataset. Public reporting notes a discrepancy between the actor’s claims (e.g., “millions of records,” passwords, and other internal artifacts) and LexisNexis’ characterization of the exposed data as limited and non-sensitive (no SSNs, financial data, active passwords, or customer search queries), but multiple outlets corroborated that the leaked files are tied to a real, now-contained incident affecting LexisNexis’ Legal & Professional division.
Mar 21, 2026
Checkmarx Confirms Dark Web Leak of Data Taken From Internal GitHub Repository
Checkmarx said data stolen during its March supply chain intrusion has been published on the dark web, with investigators tracing the exposure to a corporate GitHub repository accessed during the initial attack. The company said the affected repository was part of its developer environment, not its customer production environment, and that current evidence indicates customer data was not stored there and remains unaffected. The disclosure follows reports that **LAPSUS$** listed Checkmarx on its leak site and claimed to possess source code, an employee database, API keys, and `MongoDB` and `MySQL` credentials. Checkmarx said it has locked down access to the repository and is continuing forensic analysis to determine exactly what source code or internal documentation was exfiltrated, while warning that the incident is part of a broader supply chain attack chain that also involved tampered GitHub Actions workflows, Open VSX plugins, and other developer tooling tied to the earlier compromise.
May 12, 2026
Lapsus$ Claims AstraZeneca Breach Exposed Source Code and Internal Credentials
Lapsus$ claimed it breached **AstraZeneca** and published allegedly stolen data on its blog and a dark web leak forum, with reports saying the cache includes full source code, employee databases, GitHub Enterprise user data, internal API keys, AWS keys, service accounts, and `MongoDB` and `MySQL` credentials. Researchers who reviewed sample files said parts of the leak appeared credible, citing source code tree structures, GitHub user information, employee details tied to AstraZeneca-related clinical research companies, and GitHub Actions logs containing developer email addresses and hardcoded secrets, including RSA private keys and database credentials. The exposed material appears to be concentrated on AstraZeneca’s technical infrastructure and employee information rather than patient medical records, but the incident raises immediate risks if any leaked credentials remain active. Valid keys and account data could enable follow-on intrusions into AstraZeneca systems, targeted phishing and social engineering against staff, and deeper analysis of proprietary code and internal environments by attackers seeking intellectual property or additional access.
May 25, 2026