A Stolen GitHub Token, Two Months of Quiet, and 1.3 Terabytes: FulcrumSec Walked Out of Novo Nordisk With the AI Models Themselves

The most expensive thing Novo Nordisk lost was not the 1.3 terabytes, the 700,000 files, or the clinical trial records on real patients. It was the AI. FulcrumSec walked out with a 16.7-gigabyte multimodal model checkpoint — a trained system that reads text, images, and transcriptomic data together — plus roughly 407 megabytes of the proprietary biological and chemical datasets used to train it. That is not a copy of a database. That is the distilled, multi-year output of a drug company's research brain, and it left the building through a single stolen GitHub access token.

We wrote two posts today, before this one, that turn out to be the same story told from two other angles. This morning it was Mastra — 144 npm packages backdoored because a former contributor's publish token was never revoked. This afternoon it was Google's Vertex AI, where a bucket-squatting flaw let an attacker poison a model before it ever served a prediction. Novo Nordisk is the third face of the same die. A credential nobody was watching became the front door, and the crown jewel on the other side of that door was a machine-learning model. The token, the supply chain, and the model: that is the whole board right now, and one breach hit all three squares.

What happened

Novo Nordisk disclosed on June 11, 2026 that attackers had copied certain non-public data, including personal data, from a limited number of its internal IT systems. The word doing the heavy lifting in that sentence is "limited." Three days later, on June 14, the extortion group FulcrumSec told DataBreaches.net a different number: more than 700,000 files, roughly 1.3 terabytes, and a two-month residency that began in March. After Novo Nordisk refused a 25-million-dollar ransom, FulcrumSec began leaking on June 15.

FulcrumSec is not an old name. The group surfaced in October 2025, which makes Novo Nordisk one of its early marquee victims — and that matters, because a young extortion crew landing a top-five pharmaceutical company on a months-long dwell is not a fluke of sophistication. It is a fluke of hygiene, theirs against the target's. The access did not come from a zero-day or a nation-state toolkit. It came from a GitHub access token. That token gave FulcrumSec a foothold, the foothold gave them additional credentials, and the additional credentials gave them two months inside a pharmaceutical research network before anyone noticed.

The part that should change how you think about AI risk

The data categories Novo Nordisk lost read like a textbook of pharmaceutical sensitivity: source code, data on approved and pipeline drugs, clinical trial records, proprietary compound structures, and personal information on employees, physicians, and patients — patient IDs, sex, year of birth, biomarkers, health and immunogenicity data, and lifestyle factors down to BMI, smoking, and alcohol use. All of that is bad, and all of that is recoverable in the sense that it is, ultimately, records.

The model checkpoint is different. A 16.7-gigabyte multimodal model trained on a drug company's internal text, imaging, and transcriptomic data is not a record of research. It is an instrument that performs research. Whoever holds that checkpoint holds a working approximation of Novo Nordisk's discovery capability, and unlike a stolen database, you cannot notify-and-reset your way out of it. You cannot rotate a model. The training data — that 407 megabytes of proprietary biological and chemical material — is the recipe, and the checkpoint is the dish already cooked. Both are now outside the company's control, permanently.

This is the inversion we have been circling all year. The thesis we published back in March was that the medical-device and pharma companies invisible to AI were the ones getting breached. The Novo Nordisk breach completes the arc by making the AI itself the target rather than the blind spot. Earlier today the Vertex AI flaw showed an attacker poisoning a model on the way in. Novo Nordisk shows an attacker stealing the model on the way out. Same asset, two directions, one week. The model has become the thing worth breaching for.

Were they on our list? No. Here is the honest version.

We did not have Novo Nordisk flagged. It was not in our watch-list comparators, not in our candidate set, not named in any indicator we held. When a breach lands on a name we never wrote down, we say so — the alternative is the kind of retroactive credit-taking that makes threat intelligence worthless.

What we did have was the pattern, and the pattern has receipts. We flagged Medtronic 32 days before ShinyHunters claimed nine million records, and Medtronic sits in our breached-comparator set today. We caught the ADT vishing chain, the Allianz UK brand-impersonation infrastructure 93 days early, the Instructure Canvas operator infrastructure 40-plus days before the largest education breach on record. The medical and pharmaceutical sector has been the loudest signal in our data for three months. Novo Nordisk is a name we missed inside a category we called correctly, and the correct response to that is not to spin it — it is to add Novo Nordisk and the rest of the pharma-and-AI-model cohort to the reference set so the methodology that caught Medtronic gets pointed where the breaches are actually landing.

There is a second lesson sitting underneath the first, and it is the cheapest one to act on. The entry point was a GitHub token. We have written some version of "visible in source is leaked, rotate on visibility not on evidence" more times than is comfortable, and here is a 1.3-terabyte argument for it. A token in a repository, a token in a contributor account that was never revoked, a token in a build log — these are not hypothetical. They are the initial access vector in the Mastra compromise from this morning and the Novo Nordisk compromise from this week. The supply chain and the model are the prize. The token is still the door.

What to do

If you run a research-heavy organization, the uncomfortable question is not whether your databases are backed up. It is whether you could even tell if your trained models walked out the door, and whether the GitHub tokens scattered across your repositories, your CI logs, and your former contributors' accounts are inventoried and rotated. Treat model checkpoints and training datasets as crown-jewel assets with their own egress monitoring, not as files in a bucket. Rotate tokens on visibility. Revoke access when people leave, on the day they leave. And assume, the way we do, that the 5 percent you cannot see is the 5 percent that matters — because for Novo Nordisk, the thing they could not see for two months was a young extortion crew carrying the company's research brain out the front door one credential at a time.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register