CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 19, 2026

Novo Nordisk Breach Exposes Software Development Pipeline Risk

Dark Reading Archived Jun 19, 2026 ✓ Full text saved

A leaked GitHub token underscores what most organizations get wrong: Treating secrets management as a tooling problem rather than an identity problem.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBER RISK CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE VULNERABILITIES & THREATS NEWS Novo Nordisk Breach Exposes Software Development Pipeline Risk A leaked GitHub token underscores what most organizations get wrong: Treating secrets management as a tooling problem rather than an identity problem. Jai Vijayan,Contributing Writer June 18, 2026 6 Min Read SOURCE: GGUY VIA SHUTTERSTOXK A recent — and likely massive — breach at Novo Nordisk, where attackers reportedly gained an initial foothold using a single GitHub access token, underscores how code repositories and developer environments have become ground zero for attackers seeking intellectual property, credentials, and software supply chain assets. Novo Nordisk, the Danish pharmaceutical giant behind blockbuster drugs Ozempic and Wegovy, disclosed the breach June 11 after detecting unauthorized access to what it claimed were a "limited number of its internal IT systems."  A Bigger Than Disclosed Breach? According to the company, the attackers accessed pseudonymized data belonging to an undisclosed number of patients participating in clinical trials including patient ID, gender, date of birth, biomarkers, health/immunogenicity data, and lifestyle factors such as tobacco and alcohol use.  The breach also affected data belonging to healthcare professionals associated with Novo Nordisk, including name, registration number, office locations, email, phone number and WhatsApp details. "Based on the nature of the exposed data, the potential consequences of the incident include targeted phishing attempt through emails, phone, and WhatsApp or fraudulent communications impersonating colleagues," Novo Nordisk warned. Related:Get Out of Security Debt by Tackling the Exposure Problem But details provided by FulcrumSec, the threat group claiming responsibility for the attack, suggest the breach was far broader and potentially more damaging than Novo Nordisk has disclosed publicly.  Information that the threat group shared with DataBreaches.Net suggest the attackers spent more than two months inside the pharmaceutical company's network and exfiltrated more than 700,000 files amounting to some 1.3TB of data before demanding a $25 million ransom.  The stolen information included source code, proprietary information on marketed and unreleased drugs, clinical trial and research data, internal AI models, records related to Novo Nordisk's manufacturing operations and production technology, healthcare professional records, and information on approximately 11,500 pseudonymized clinical trial participants. FulcrucmSec has since begun publicly leaking some of the data it claims to have obtained after Novo Nordisk's apparent refusal to pay the demanded ransom. "FulcrumSec believes the exfiltrated data and the AI-generated analysis could save other researchers or competitors 3-5 years of program development," DataBreaches.Net noted. Single GitHub Token Was All It Took FulcrumSec claimed it had gained initial access to Novo Nordisk in March via an exposed, high-privileged "GitHub personal access token in client-side JS on an obscure subdomain." They apparently then used the access token to clone private repositories and harvest additional credentials, which they used to pivot deeper into Novo Nordisk's network and systems. Related:UK Social Media Ban for Minors Has Privacy Experts Worried Novo Nordisk has so far not publicly confirmed the scope of the breach. The company did not respond to a Dark Reading request for comment on the breach for which FulcrumSec has claimed credit, nor for a second separate intrusion by a threat group calling itself TheUSERS007. In correspondence with DataBreaches.Net, TheUSERS007 provided information that suggested the group had breached Novo Nordisk between June 5 and 7 and stolen data related to the drug manufacturer's AI-related efforts. Matt Kimpel, chief information security officer (CISO) at managed service provider Magna5, says accounts of the incident suggest another example of how developers and development environments have become high-value targets for attackers. "Developers sit close to the systems that matter most. They have standing access to source code, build and deployment pipelines, cloud environments, and the credentials those systems use to talk to each other," he says. Related:Most CISOs Report Pressure to Bury Bad Security News High-Value, Soft Targets Development platforms have quietly become some of the highest-value systems in the enterprise, and most security programs have not caught up, Kimpel points out. A code source repository, for instance, is no longer just where source code lives. It also holds infrastructure definitions, deployment pipelines, integrations with downstream systems, and the documentation that explains how the environment is wired together. "For an attacker, getting into the code repository is closer to opening the building plans than opening a file cabinet," Kimpel notes. AI-assisted development is accelerating the risk by increasing the volume and speed of code creation while introducing new opportunities for sensitive data and secrets to leak through unsanctioned tools and workflows, Kimpel says. API tokens, service accounts, and other machine credentials have emerged as particularly valuable targets because they are abundant, highly privileged, difficult for organizations to inventory and monitor, and often persist for long periods without rotation.  "These platforms deserve to be treated as production systems, not developer tools," he argues. "They sit upstream of everything." Standard protections, branch approvals, code review, pipeline gating all assume the right identity is doing the work, which means once an attacker is operating as a trusted developer, the same controls work for them, he notes. "What most organizations are doing wrong is treating secrets management as a tooling problem rather than an identity problem." Code repositories have become one of the most consequential blind spots in enterprise security, agrees Shane Barney, CISO at Keeper Security. It's not uncommon for hardcoded credentials, committed tokens, and improperly scoped access keys to accumulate quietly across repositories, CI/CD pipelines, and configuration files. Unlike human accounts, these machine credentials rarely have clear owners, consistent rotation schedules, or any meaningful monitoring. Once provisioned they are largely forgotten, he says. "That invisibility is what turns a single exposed token into a months-long intrusion," Barney points out. "When a machine credential carries broad permissions and no one is watching it, an attacker who finds it does not need to escalate privileges or move carefully. The access is already there. The blast radius of that credential is the breach." The right approach to mitigating this risk is to centralize secrets management, enforce least-privilege consistently across every identity in the environment and enable automated rotation so credentials do not quietly outlive their purpose. "That discipline does not eliminate risk, but it closes the gap between what attackers find and what they can actually do with it." Mitigating the Risk The incident is another reminder that development environments, including developer endpoints and IDEs, repositories, and CI/CD pipelines, are frequently configured with production access, says Ed Luz, head of research at Oasis Security Identity. Use and access from those entities should be mapped and monitored, and sensitive keys should be kept in designated, managed locations and rotated frequently. "Two details matter most here," Luz says, referring to the Novo Nordisk breach. "First, the entry point: a single GitHub access token. Second, the lateral movement: additional credentials found sitting in the repositories themselves. The attackers didn't break through the perimeter, they were authenticated." Kimpel recommends the best place for organizations to start is with maintaining an inventory of their non-human identities and getting a firm handle on what exists in the environment. "From there, the priorities are straightforward: eliminate long-lived secrets wherever the workload supports it, scope aggressively, rotate on a real cadence and on signal rather than on calendar," he says. "Monitor machine identities the same way you monitor human ones, baseline normal behavior and alert on the deviation." About the Author Jai Vijayan Contributing Writer Illinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies.  Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders.  Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications. His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee.   Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Microsoft Exchange 'Under Imminent Threat,' Act Now by Arielle Waldman NOV 12, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 19, 2026
    Archived
    Jun 19, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗