Novo Nordisk Breach Claim Puts GitHub Token Leak At Center Of $25M Extortion Fight

Novo Nordisk is facing a cyber-extortion claim after FulcrumSec said it stole roughly 1.3TB of data from the Ozempic and Wegovy maker during more than two months inside its systems.

The company has confirmed an IT security incident involving unauthorized access to a limited number of internal systems. Novo Nordisk also said certain non-public data, including personal data, was copied externally without authorization. Its core business operations remain up and running, while affected internal systems were taken offline and restored under controlled conditions.

FulcrumSec’s version is broader. The group claims it took more than 700,000 files, including source code, clinical trial data, employee, doctor and patient information, production-related material, unreleased drug information and internal AI model data. Reuters could not independently verify the authenticity of the files, and Novo Nordisk has not publicly confirmed the attacker’s full inventory.

The group also claimed it demanded $25 million from Novo Nordisk before shifting toward leaks and possible private sales of selected material. That puts the incident in the hack-and-extort category rather than a standard ransomware outage, with data theft becoming the main pressure point.

GitHub Token Claim Becomes The Sharpest Security Detail

The most important reported entry point is not a zero-day or a complex infrastructure failure. FulcrumSec claimed the breach began through a GitHub access token that allowed Novo Nordisk repositories to be cloned, after which the attackers searched the codebase and found additional credentials.

Novo Nordisk has not confirmed that access path. Still, the allegation fits a recurring software-security pattern: developer tokens can become a direct route from one exposed credential to repository access, internal configuration files, automation workflows and further secrets.

That is why the claim is significant beyond one pharma breach. CryptoAdventure recently covered GitHub’s own internal repository incident, where the platform said customer repositories were not identified as affected while it investigated unauthorized access to internal repositories. The same developer-security theme appeared when Grafana disclosed a GitHub token compromise that exposed its codebase without confirmed customer-data exposure.

The Novo Nordisk claim is more severe because the alleged data set reaches far beyond code. If the attacker’s inventory is accurate, the exposed material may include research files, drug-development information and AI assets with commercial value.

Drug Data And AI Models Raise The Stakes

FulcrumSec claims the stolen material includes data tied to released and unreleased drugs, clinical trials, company processing facilities and internal AI models. SecurityWeek reported that the claimed intellectual-property haul included undisclosed drug programs, proprietary compound structures, Dicerna RNAi pipeline material and private AI models.

Novo Nordisk’s confirmed patient impact remains narrower. The company said affected clinical trial data was pseudonymized, meaning it was not directly linked to patients by name or direct identifiers. That reduces some immediate identity-risk exposure, but clinical trial and health-linked data can still be sensitive when combined with other information.

The AI-model claim adds another layer. Pharmaceutical AI systems, training data and internal research workflows can represent years of investment. If those assets were copied, the damage would not be limited to breach notification or reputational fallout. It could create intellectual-property exposure around drug discovery, research automation and proprietary development pipelines.

A Developer Credential Becomes A Board-Level Risk

The case shows how software access can become a business-risk event inside industries far beyond tech. A token left in the wrong place can open repositories. Repositories can expose internal logic and credentials. Those credentials can widen access into systems where the real prize is not code, but research, manufacturing data, AI workflows and regulated personal information.

Novo Nordisk has kept its public position to confirmed unauthorized access, copied non-public data, ongoing investigation work and cooperation with authorities. FulcrumSec’s broader claims remain attacker claims, not fully verified facts.