LAPSUS$ Group Claims It Accessed Internal Data from AstraZeneca

AstraZeneca Data Breach - LAPSUS$ Group Allegedly Claims Access to Internal Data

The notorious hacking collective LAPSUS$ has resurfaced, allegedly claiming responsibility for a significant data breach involving the multinational pharmaceutical and biotechnology company AstraZeneca.

The threat actors are currently attempting to sell a compressed 3GB internal data dump, signaling a potential shift towards pay-to-access extortion methods.

LAPSUS$, previously known for high-profile breaches targeting major technology firms, appears to be active again with this alleged compromise of AstraZeneca’s internal systems. The group has posted teasers of the stolen data on illicit forums, detailing the contents of the .tar.gz archive and providing screenshots as proof.

The threat actors are attempting to entice potential buyers to contact them via the secure messaging application Session to negotiate a purchase. Currently, no full leak has been made publicly available for free, indicating that the group’s primary motive in this instance is financial gain through a direct sale rather than immediate public extortion.

ODNI report: US critical infrastructure faces escalating cyber risks from China, Russia, Iran, and North Korea

The Office of the Director of National Intelligence’s Annual Threat Assessment 2026 makes clear that cyberspace is now a primary arena of conflict, with state and non-state actors actively targeting U.S. interests. Foreign cyber operations pose a direct and persistent threat to government and private-sector networks, as adversaries blend espionage, disruption, and influence into coordinated campaigns.

Hacker groups linked to China, Russia, Iran, and North Korea, alongside ransomware groups, continue to threaten critical infrastructure at scale. These operations are deliberate and sustained, aimed at embedding access within key systems to enable disruption during periods of conflict or crisis.

The ODNI report assesses that these cyber adversaries can pre-position or execute disruptive and destructive attacks against U.S. critical infrastructure and other targets. They continue to pour resources into operations to compromise U.S. systems and core global IT resources.

The insider threat rises again

Insider threats are coming back in a consequential way.

According to the State of Human Risk Report from Mimecast, 42% of organizations have experienced an increase in malicious insider incidents over the past year, with 42% also reporting a rise in negligent incidents for the first time.

The report further found that organizations experienced an average of six insider-driven incidents per month at an estimated cost of $13.1 million per incident. Additionally, 66% of the 2,500 surveyed IT security and IT decision-makers expect insider-related data loss to increase over the next 12 months.

“Insider risk has become one of the most consequential and underestimated threats facing organizations today, not just because of the data loss it causes, but because attackers are increasingly exploiting insiders as a deliberate entry point to bypass perimeter defenses entirely,” Mimecast CISO Leslie Nielsen said in announcing his company’s research results.

Trivy vulnerability scanner backdoored with credential stealer in supply chain attack

Attackers have compromised the widely used open-source Trivy vulnerability scanner, injecting credential-stealing malware into official releases and GitHub Actions used by thousands of CI/CD workflows. The breach could trigger a cascade of additional supply-chain compromises if impacted projects and organizations don’t rotate their secrets immediately.

The attack, disclosed by Trivy maintainers today, results from an earlier compromise announced late last month that also leveraged insecure GitHub Actions and impacted multiple projects. Security firms Socket and Wiz traced the root cause to an incomplete credential rotation after the first breach, allowing the attackers to return to Trivy’s environment and introduce malicious commits.

“If you suspect you were running a compromised version, treat all pipeline secrets as compromised and rotate immediately,” Trivy maintainer Itay Shakury wrote on GitHub.

CRI pilot reveals water utilities show strong interest in improving cybersecurity but face persistent gaps in execution

The Cyber Readiness Institute (CRI), in partnership with the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies and with sponsorship from Microsoft, launched a pilot to test whether accessible, behavior-focused cybersecurity training could measurably improve cyber readiness among water and wastewater utilities. Aimed to help address the sector’s cybersecurity gap, the CRI pilot sought to engage up to 200 small and medium-sized utilities over the course of two years.

Titled ‘Water Utilities Need Cyber Support: Lessons from the Cyber Readiness Institute’s Pilot Project,’ the report highlights a widening gap between awareness and execution, with strong interest in improving cybersecurity but limited ability to follow through. While more than 90% of participating utilities reported improved understanding of cybersecurity fundamentals and a willingness to act, only 43 of 113 interested utilities completed the program, largely due to staffing shortages, funding gaps, and lack of implementation support.

Foster City hit by ransomware attack, plans to declare state of emergency

The community of Foster City on the Peninsula announced that they have been hit by a cybersecurity breach and are planning to declare a state of emergency.

According to officials, IT staff learned about the breach early Thursday morning, which they blame on ransomware found on the city's networks.

All public services outside of emergency responses have been paused. Emergency services, including 911 and police dispatch, have not been affected.

Officials said the City Manager's office is in the process of declaring a state of emergency, which they said would allow the city to receive supplementary financial support from outside agencies.

"Foster City staff, with the assistance of outside cyber security experts, are working diligently to restore the integrity of the City's system and ensure there are no further security issues impacting services to our community," City Manager Stefan Chatwin said in a statement Thursday.

An investigation into the extent of the breach is ongoing. Officials did not immediately know if public information has been accessed.

As a precaution, anyone who has done business with the city is being urged to change passwords and take other measures to protect personal data.