Foxconn's Apple Secrets Stolen, Lazarus Deploys a Fileless RAT, and 700 Sites Hijacked via Ghost CMS

Explore this content with AI:

ChatGPT | Perplexity | Claude | Google AI Mode

Nitrogen ransomware steals 8 TB from Foxconn — Apple server schematics among the confirmed stolen files

The Nitrogen ransomware gang claimed a major breach of Foxconn's North American operations on May 12, 2026, listing the electronics giant — the world's largest contract manufacturer and primary hardware producer for Apple, Nvidia, Google, Intel, and Samsung — on its dark web leak site. Nitrogen asserted that it had extracted approximately 8 TB of data, comprising more than 11 million files, from Foxconn's facilities, including internal project documentation, technical drawings, and confidential manufacturing instructions, spanning multiple major technology partners. Foxconn confirmed the cyberattack, saying its cybersecurity team had activated incident response procedures and that affected North American factories were resuming normal production.

The full scope of what was taken came into sharper focus on May 20, when AppleInsider confirmed that the stolen files include engineering schematics for Apple's internal server hardware under the Matterhorn project — Apple's custom server configurations using Intel's Whitley and Eagle Stream platforms. The schematics, created in Siemens NX format and consistent with Apple's internal engineering documentation, detail chassis design, board layout, bracket dimensions, and full component specifications: two 32-core Intel Ice Lake CPUs, 24 sticks of 128 GB DDR4 RAM, Nvidia T4 GPUs, and multiple 8 TB NVMe drives per chassis. Beyond Apple, the stolen materials also include confidential project documentation tied to AMD, Broadcom, Google, Intel, HP, Micron, Nvidia, Samsung, and Seagate. Nitrogen, which has operated since 2023 using code believed to be derived from the leaked Conti 2 builder, is a double-extortion operation that encrypts victims' data and threatens to publicly release it if a ransom is not paid.

Why it matters: Foxconn's position at the center of global technology manufacturing makes any breach of this scope a supply chain intelligence event for the entire industry, not just the ransomware incident it appears to be on the surface. Server schematics for Apple's custom hardware, including component-level specifications and chassis architecture, represent exactly the kind of material that commands premium prices from nation-state buyers. More broadly, contract manufacturing environments routinely hold the most sensitive engineering documentation in a technology company's supply chain while operating with cybersecurity budgets and practices that rarely match the sensitivity of what they're protecting. Any organization that relies on contract manufacturing for proprietary hardware designs should treat this as a prompt to audit which documentation resides in shared manufacturing systems and which access controls govern it.

Read more at TechCrunch

Laravel-Lang PHP packages backdoored in overnight supply chain attack — 700+ versions compromised

Early on May 22, 2026, an attacker with push access to the Laravel-Lang GitHub organization rewrote every git tag across multiple popular Composer packages within a 15-minute window. The four affected packages — laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions — are community-maintained PHP localization libraries with broad adoption across Laravel applications. Rather than publishing a visibly new malicious release, the attacker repointed every existing historical tag to a malicious commit, a technique designed specifically to evade version-monitoring tools that only watch for new package publications. StepSecurity's technical analysis confirmed that the attacker injected a helpers.php file wired into Composer's autoload.files mechanism, ensuring it executed automatically on every PHP request the moment the package was installed or updated. Snyk's advisory confirmed that the final payload — a Windows binary called DebugElevator pulled from flipboxstudio.info — was a cross-platform credential stealer targeting AWS keys, GitHub tokens, Slack tokens, Stripe secrets, SSH private keys, .env configuration files, JWTs, Kubernetes secrets, HashiCorp Vault tokens, and cryptocurrency recovery phrases. Packagist, the PHP package registry, removed the malicious versions and temporarily unlisted the affected packages on May 23, 2026. Estimates on the scope vary: Aikido counted 233 compromised versions across three repositories, while Socket's analysis identified up to 700 affected historical tags.

Why it matters: The tag-rewriting technique is a meaningful evolution in supply chain attack methodology. Most supply chain monitoring focuses on new package versions; rewriting existing tags means a Laravel project that pinned a "known-good" version could have become vulnerable through a routine composer install or composer update run. Any PHP development environment that installed or updated the laravel-lang packages on May 22 or 23 should be treated as compromised. Rotate all secrets visible in project .env files, audit CI/CD pipeline credentials immediately, and review access logs for outbound connections to flipboxstudio.info.

Read more at BleepingComputer

Lazarus Group deploys RemotePE, a memory-only RAT that leaves almost no trace

Fox-IT published its detailed analysis of RemotePE on May 22, 2026, shedding light on a fileless remote-access trojan that North Korea's Lazarus Group has been deploying against financial institutions and cryptocurrency organizations. The attack chain involves two loaders: DPAPILoader decrypts and loads RemotePELoader from disk using the Windows Data Protection API, and RemotePELoader then beacons to a command-and-control server to receive the final payload — RemotePE itself — which is executed entirely in memory and never written to disk. That memory-only execution model means traditional endpoint detection tools that rely on filesystem scanning produce no alert, leaving little forensic evidence for incident responders to recover. Initial access in observed intrusions began with social engineering on Telegram, where attackers impersonated employees of legitimate trading companies and invited victims to meetings via spoofed Calendly and Picktime pages. The toolset also includes environmental keying, which causes the malware to self-terminate if it detects that it is running in a sandbox or analysis environment.

The RemotePE disclosure lands against a sobering financial backdrop. According to TRM Labs, Lazarus Group stole $577 million in cryptocurrency in the first four months of 2026 alone — 76 percent of all crypto theft globally during that period — despite being responsible for just two major hacking incidents. Lazarus' February 2026 theft of $1.5 billion from the Bybit exchange through a supply chain compromise of the Safe{Wallet} developer environment remains the largest single crypto heist in history.

Why it matters: RemotePE represents a deliberate engineering choice to minimize the forensic footprint of long-term observation campaigns, which means organizations may not discover an intrusion until after significant data has been exfiltrated. Cryptocurrency platforms, digital asset custodians, and financial services firms are the primary target profile. Security teams should prioritize behavioral detection rules over signature-based approaches, and review social engineering threat awareness training — particularly around unsolicited Telegram outreach from industry contacts requesting meetings on unfamiliar scheduling platforms.

Read more at Fox-IT International Blog

Drupal CVE-2026-9082 exploited within 48 hours, CISA sets May 27 deadline

On May 20, 2026, the Drupal security team released a patch for CVE-2026-9082, an SQL injection vulnerability in Drupal's core database abstraction API, which Drupal's own advisory rates 20 to 23 out of 25 on its internal "Highly Critical" scale — later updated to 23 once active exploitation was confirmed. (NVD assigns a CVSS 3.1 base score of 6.5 Medium, reflecting the base metric calculation without factoring in the flaw's anonymous reachability and privilege-escalation potential; Drupal's higher internal rating is the operationally relevant one here.) The flaw affects PostgreSQL-backed Drupal installations and can be exploited by unauthenticated attackers via specially crafted requests that bypass query protections and execute arbitrary SQL against the database backend. Drupal explicitly noted in its advisory that exploitation attempts had already been detected in the wild. Miggo Research published a post-patch analysis showing that a working exploit was developed and validated against an unpatched instance in under 60 minutes using AI assistance and less than $10 in compute costs — illustrating how quickly functional exploitation can follow public disclosure. Imperva researchers observed more than 15,000 exploitation attempts targeting nearly 6,000 sites across 65 countries within the first two days after the advisory was published. Nearly half of those attacks targeted gaming and financial services websites, sectors where credential theft and access to financial data offer direct, immediate monetization opportunities. CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities catalog and urged organizations to patch before May 27, 2026.

Why it matters: The 48-hour window between patch release and widespread exploitation is shrinking industry-wide, and CVE-2026-9082 is another data point in that trend. Organizations running Drupal on PostgreSQL should treat this as an emergency patch — not a routine maintenance window item. The CISA KEV listing means federal agencies have a hard deadline of May 27, but all public-facing Drupal sites should be prioritized regardless. If you have not yet patched, audit your database access logs for unusual or malformed query patterns as a first step.

Read more at SecurityWeek

Ghost CMS SQL injection exploited to hijack 700+ sites for ClickFix malware campaign

A large-scale exploitation campaign targeting CVE-2026-26980 (CVSS 9.4), an SQL injection vulnerability in Ghost CMS, has compromised more than 700 websites, turning them into malware distribution points for ClickFix attacks. Ghost CMS versions 3.24.0 through 6.19.0 are affected; the vulnerability allows unauthenticated attackers to read arbitrary data from the site database, including admin API keys. Attackers in this campaign exploited the flaw to steal those API keys and then used the elevated access to inject malicious JavaScript directly into published articles. The injected script functions as a lightweight loader that fingerprints visitors and serves qualifying targets a fake Cloudflare verification prompt — the signature ClickFix lure — that instructs victims to paste a command into their Windows Command Prompt. XLab threat intelligence researchers at Qianxin, who first detected the campaign on May 7, confirmed that payloads observed in the wild include DLL loaders, JavaScript droppers, and an Electron-based malware installer called UtilifySetup.exe. The list of compromised domains reads as a cross-section of high-trust websites: portals for Harvard University, Oxford University, and Auburn University were among those injected, as was DuckDuckGo, along with sites representing blockchain projects, AI/SaaS companies, fintech firms, and security research organizations.

Why it matters: ClickFix attacks are effective precisely because they exploit users' trained behavior around "prove you're human" prompts. When those prompts appear on the website of a university or a well-known search engine rather than an unfamiliar domain, victims are significantly more likely to comply. Ghost CMS administrators should update to a patched version immediately, rotate all admin credentials, audit published articles for injected script tags, and review server access logs for unauthorized admin API usage. End users who visited any potentially compromised site and followed a "verification" prompt should treat their Windows environment as possibly compromised and run a full endpoint scan.

Read more at BleepingComputer

Final thoughts

This week's stories resist a single tidy throughline, which is itself worth noting. The Foxconn breach is a ransomware operation against a manufacturing giant that turned out to carry nation-state-grade intelligence value. The Laravel-Lang supply chain attack weaponized a routine Composer install against PHP developers who had no reason to suspect anything was wrong. Lazarus Group's RemotePE is purpose-built for patient, long-term observation with minimal forensic footprint — the kind of tool deployed when the goal is to watch, not just to steal. The Drupal and Ghost CMS stories are about exploitation velocity: both saw active attacks within days of the patch or discovery, against environments that defenders may not have known were in the crosshairs.

What these stories share is that the attackers in each case understood something specific about their target — the IP value sitting in a contract manufacturer's file servers, the implicit trust a Composer package enjoys, the authentication gap in a CMS database, the long dwell time available in a memory-only RAT. The practical implication for security teams: the question is not just "are we patched?" but "what would an attacker who understood our environment specifically choose to go after?" That framing tends to surface a different set of priorities than a generic vulnerability queue.

Check back next Tuesday for the next installment.