TL;DR

Foxconn’s North American factories were knocked offline by a Nitrogen ransomware attack that exfiltrated 1.4 TB of design and supply chain data. GitHub confirmed attackers breached thousands of its private internal repositories — including platform source code — in a May 20 supply chain intrusion. Meanwhile, the TeamPCP group continues weaponising open source npm packages like Axios to steal developer credentials in an ongoing, multi-wave campaign. If your business writes or runs software — which is every business — this weekend’s news carries at least one lesson you need to act on Monday morning.

1. Foxconn — A $170 Billion Supply Chain Stalled by Ransomware

What happened. On May 13, 2026, the Nitrogen ransomware group listed Foxconn — the world’s largest electronics manufacturer and a critical supplier to Apple, Google, and NVIDIA — on its dark web leak site. Foxconn subsequently confirmed that its North American manufacturing operations were hit. Attackers claim to have exfiltrated over 1.4 million files across approximately 1.4 TB of data, spanning product design schematics, manufacturing floor documentation, supply chain logistics, and operational systems.

How bad. Foxconn is not just any manufacturer. It assembles iPhones, MacBooks, Google Pixel devices, and NVIDIA GPU hardware. A disruption to its North American facilities — even a temporary one — cascades into shipment delays for half a dozen Fortune 50 companies. The operational impact alone runs into tens of millions in downtime, to say nothing of the intellectual property exposure or potential regulatory penalties under customer data-handling agreements. Nitrogen’s standard playbook includes double-extortion: encrypt the network and threaten to publish the stolen data unless a cryptocurrency ransom is paid — often in the $1-10 million range.

How it could have been prevented. No technical details are public, but historical Foxconn breaches (LockBit, 2022; DoppelPaymer, 2020) consistently trace back to the same three vectors: unpatched internet-facing systems, weak remote access controls, and inadequate network segmentation. A manufacturer running 24/7 assembly lines is understandably reluctant to patch, but that reluctance is precisely what ransomware operators bank on. Compensating controls — application allowlisting, EDR with behavioural detection, and microsegmentation between IT and OT networks — would have contained the blast radius.

What your business should do this week. Map every internet-facing system your business exposes — RDP, VPN gateways, SSH, web portals, third-party vendor portals. Patch them. If you cannot patch today, put them behind a VPN with MFA. Run an offline, air-gapped backup of your critical data and verify you can restore it without the production network being online. If you have manufacturing, logistics, or OT environments, ensure they are segmented from your corporate IT network — no direct routes.

2. GitHub — When the Code Factory Gets Breached

What happened. On May 20, 2026, GitHub confirmed that an attacker gained unauthorised access to its internal repositories. The intruder navigated internal systems and exfiltrated data from thousands of private repositories containing GitHub’s own platform source code, internal tooling, and organisational resources. The attacker subsequently advertised the stolen code for sale on a cybercrime forum.

How bad. GitHub is the global software supply chain. Over 100 million developers use it. If an attacker can move through GitHub’s internal systems undetected, the question every CISO should be asking is not "what did they take" but "what did they leave behind." A persistent threat actor with access to GitHub’s build pipelines could have theoretically planted backdoors in the platform itself — impacting every organisation that hosts code there. While there is no evidence of that yet, the mere possibility resets the threat model for code-hosting platforms.

How it could have been prevented. Initial forensics point to a supply chain entry vector — compromising a third-party dependency or a developer tool integrated into GitHub’s CI/CD pipeline. This mirrors the pattern seen in the Axios npm attack and others: credential theft from an upstream dependency leads to lateral movement inside a targeted organisation. The single most powerful control missing in most organisations is branch protection rules that require signed commits and mandate code review on every change, even for admin accounts. GitHub’s own docs recommend this; the attacker exploited a gap where those rules were apparently not uniformly enforced across internal repos.

What your business should do this week. Audit your GitHub (or GitLab/Bitbucket) organisation: require signed commits, enforce mandatory pull-request reviews with at least one approver who is not the author, restrict personal access tokens to the minimum scope and shortest expiry, and rotate all CI/CD secrets. If you use GitHub Actions or any other pipeline-as-code, audit every third-party action your workflows pull in and pin them to a specific commit SHA — not a tag or branch.

3. The Open Source Supply Chain Is Under Active Siege — and Your Developers Are the Target

What happened. Throughout April and May 2026, the threat group TeamPCP (UNC6780) has executed multiple waves of attacks on open source software supply chains. The March 31 compromise of Axios — the most popular HTTP client library on npm with over 2 billion weekly downloads — injected a malicious dependency that deployed a multi-stage remote access trojan onto any developer machine that ran npm install. Two weeks later, the group compromised the security scanner Trivy, injecting credential-stealing malware into its build pipeline. The stolen credentials were then used to pivot into thousands of downstream CI/CD environments, including those of two OpenAI employees via the TanStack library. On May 19, security firms StepSecurity and SafeDep warned of dozens more compromised open source packages in an ongoing wave — with payloads now targeting password manager credentials specifically.

How bad. This is not a one-off. It is a campaign. The malware is wormable: stolen npm tokens and GitHub Personal Access Tokens are immediately reused to publish malicious versions of legitimate packages, which in turn compromise more developer machines, which yield more tokens. The cycle accelerates. If any developer in your organisation has run npm install or pip install on a compromised package in the last 60 days, their machine — and every credential accessible from it, including password manager vaults — may have been exfiltrated.

How it could have been prevented. Developer machines should never have unrestricted outbound internet access. A software bill of materials (SBOM) and dependency pinning with lockfile integrity checks would have caught the Axios version bump. And the credential theft would have been neutered if developers used hardware security keys (FIDO2/WebAuthn) instead of long-lived access tokens — a stolen token is useless if multi-factor authentication requires a physical tap.

What your business should do this week. First, audit every developer machine that has run a package manager in the last 60 days — scan for the IoCs published by CISA and Palo Alto's Unit 42 for the Mini Shai-Hulud campaign. Second, rotate every CI/CD secret, npm token, PyPI token, and GitHub PAT in your organisation. Third, enforce a policy that all dependencies are pinned to exact versions with verified integrity hashes. Fourth, roll out hardware security keys to every developer who touches code or cloud infrastructure. If that sounds expensive, compare it to the cost of a Foxconn-scale breach — the business case writes itself.

FAQ

Q: I don't use npm or GitHub. Does any of this affect me? A: Yes. Every business relies on software, and that software was built by someone using packages, repos, and pipelines. Even if you only use Microsoft 365 and a payroll SaaS, your vendors run on these platforms. Ask them what they have done about the Axios/Trivy compromises and whether they have rotated secrets. If they cannot answer, treat their systems as potentially compromised.

Q: How much does a ransomware attack actually cost a business? A: The average recovery cost in 2025 was USD $2.73 million according to IBM's annual report, and that figure excludes the ransom payment itself. For manufacturers, add an estimated $125,000-$250,000 per hour of production downtime. A 5-day outage at a mid-sized factory easily breaches $10 million before the ransom is even discussed.

Q: Is open source software inherently unsafe? A: No. The open source model is not the problem — it is the lack of corporate investment in its security. Most critical open source libraries are maintained by unpaid volunteers. The fix is for companies that depend on open source to fund its maintenance, require SBOMs, and monitor dependency integrity in their CI/CD pipelines.

Q: What is the single most impactful thing I can do Monday morning? A: Turn on multi-factor authentication for every account that supports it — email, code repos, cloud consoles, VPN, remote desktop, admin panels. If MFA is already on, rotate your secrets and audit who has access to what. If you finish both of those, verify your offline backups can actually be restored.

Conclusion

The breaches this weekend share a common thread: attackers are no longer just encrypting files or stealing databases — they are compromising the supply chains that businesses trust implicitly. Foxconn shows that even the world's largest manufacturer is not a hard target. GitHub shows that even the platform hosting the world's code can be breached. The Mini Shai-Hulud campaign shows that your developers' workstations are the new perimeter, and that perimeter is riddled with npm-shaped holes.

This week, map your exposure, patch what you can, rotate secrets, enforce MFA, and segment where you cannot patch. The attackers are not waiting until your next quarterly review.

Visit consult.lil.business for a free cybersecurity assessment. We will review your supply chain exposure, backup readiness, and access controls in one session — no obligation.

References

  1. Foxconn Confirms North American Factories Hit by Cyberattack — SecurityWeek
  2. GitHub Supply Chain Attack 2026 Exposes Internal Repository Data — Foresiet
  3. Supply Chain Compromise Impacts Axios Node Package Manager — CISA
  4. Hackers Have Compromised Dozens of Popular Open Source Packages in an Ongoing Supply Chain Attack — TechCrunch
  5. The npm Threat Landscape: Attack Surface and Mitigations — Palo Alto Networks Unit 42
  6. The State of Ransomware 2026 — BlackFog

TL;DR

  • A software company called TriZetto was hacked — and the hackers stayed hidden inside their systems for 10 months [1]
  • 3.4 million people's Social Security numbers and health insurance records were stolen without anyone knowing [2]
  • Your business uses vendors that hold your customers' data too — and when those vendors get hacked, it becomes your problem
  • Three things you can check this week to know whether your vendors are protecting the data you've trusted them with

Imagine Someone Copying Your Spare Key

You gave a spare key to a software contractor years ago. They help run your systems, they do a good job, and you never really think about them.

Then one day you find out: someone broke into the contractor's office, found your spare key, and has been quietly letting themselves into your business every night for 10 months. They weren't stealing cash — they were photographing files. Customer records. Employee details. Insurance information.

You had no idea. The contractor had no idea. And every night, a little more of your data walked out the door.

That is essentially what happened to TriZetto Provider Solutions — a company that processes health insurance paperwork for thousands of doctors and clinics across the United States. Hackers broke in during November 2024. Nobody noticed until October 2025. By then, 3.4 million people's records had been exposed [1].

What Makes This Different From a Typical Hack?

Most people picture a cyberattack like a smash-and-grab robbery. Someone breaks in, grabs what they can, and runs before the alarm sounds.

This was more like a quiet, long-term spy operation. The hackers found a side door, made absolutely sure nobody could see them, and spent almost a year reading everything they could access.

The stolen information included names, home addresses, Social Security numbers, Medicare ID numbers, and health insurance details [2]. This is not the kind of data you can just replace, like cancelling a credit card. Social Security numbers, health records, and Medicare IDs can be used for identity theft for years — sometimes decades — after they are stolen.

The Part That Directly Affects Your Business

TriZetto is not a small startup. It is owned by Cognizant, one of the largest IT companies in the world [1]. And even they took 10 months to notice someone was inside their systems. According to IBM's 2024 Cost of a Data Breach Report, the average time to detect a breach in the healthcare sector is even longer than the global average — and the average healthcare breach costs $9.77 million [5].

Here is what this means for your business: you almost certainly have vendors who hold your customers' data too.

Think about your payroll software. Your customer database. Your email marketing tool. Your cloud file storage. Your accounting platform. Every single one of these holds personal information about real people — your customers, your employees, your business partners. According to Verizon's 2025 Data Breach Investigations Report, 15% of all confirmed data breaches now involve a third-party vendor [6].

If any of those vendors get hacked, your customers' information is at risk. And under Australian privacy law, you have legal responsibilities even when the breach happens at a vendor's end, not your own [3].

Three Things You Can Check This Week

You do not need to become a cybersecurity expert to protect your business here. These three checks are practical, free, and take less than an afternoon.

1. List every vendor that holds your data. Start with payroll, customer databases, accounting software, and email tools. Write them down. Most business owners are surprised — once you count carefully, the average is 20 to 50 vendors.

2. Ask each vendor: "Do you have a SOC 2 or ISO 27001 certification?" These are independent security audits conducted by external experts. A vendor with this certification has had their security independently verified. A vendor without it has not. If they handle sensitive data for your business, the answer to this question matters [4].

3. Check your contracts for breach notification clauses. How quickly does your vendor have to tell you if they get hacked? TriZetto waited 14 months to notify some customers [1]. Make sure your contracts do not allow that kind of delay.

FAQ

TriZetto is a US healthcare IT company that processes insurance eligibility data for doctors and clinics. The reason it matters is the pattern it represents: a software vendor was trusted with millions of sensitive records, failed to detect a breach for nearly a year, and notified affected parties more than 14 months after the intrusion began. The same risk exists with any vendor that processes data for your business [1].

If your data was affected, TriZetto and their notification partner Kroll will send a physical letter explaining what happened and offering 12 months of free credit monitoring and identity protection services. Accept the offer — it is genuinely useful [2].

SOC 2 stands for System and Organisation Controls 2. It is an independent audit that verifies a company's security actually works in practice — not just on paper. A SOC 2 Type II certification means the audit covered a full year of real operations, not a one-day snapshot. When a vendor tells you they are SOC 2 Type II certified, it means a qualified external auditor has confirmed their security controls operate consistently [4].

References

[1] B. Toulas, "Cognizant TriZetto breach exposes health data of 3.4 million patients," BleepingComputer, Mar. 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/cognizant-trizetto-breach-exposes-health-data-of-34-million-patients/

[2] Maine Attorney General, "TriZetto Provider Solutions Data Breach Notification Filing," Maine AG Office, Feb. 2026. [Online]. Available: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/e2c4cc45-dc81-498d-89f0-28c887808b41.html

[3] Office of the Australian Information Commissioner, "Australian Privacy Principle 11 — Security of Personal Information," OAIC, 2024. [Online]. Available: https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-11-app-11-security-of-personal-information

[4] AICPA, "SOC 2 — SOC for Service Organizations: Trust Services Criteria," AICPA, 2024. [Online]. Available: https://www.aicpa-cima.com/resources/download/soc-2-trust-services-criteria-including-the-2022-points-of-focus

[5] IBM Security, "Cost of a Data Breach Report 2024," IBM, 2024. [Online]. Available: https://www.ibm.com/reports/data-breach

[6] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

[7] COE Security, "Healthcare Supply Chain Under Cyber Siege," COE Security, Mar. 2026. [Online]. Available: https://coesecurity.com/healthcare-supply-chain-under-cyber-siege/

[8] CISA, "Guidance for Addressing Cybersecurity Risk in Third-Party Relationships," CISA, Nov. 2023. [Online]. Available: https://www.cisa.gov/resources-tools/resources/guidance-addressing-cybersecurity-risks-third-party-relationships

Not sure which of your vendors are handling your data responsibly? Most SMBs have 3 to 5 high-risk vendors they have never audited. lil.business can help you identify them and fix the gaps — without needing a full-time security team. Book a free call to find out what your vendor risk actually looks like.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation