Novo Nordisk Breach: How a Leaked GitHub Token Exposed the Exact Ozempic Formula | Pentesty

Back to BlogResearchJun 17, 2026 · 9 min read<br>Novo Nordisk Breach: How a Leaked GitHub Token Exposed the Exact Ozempic Formula<br>Published by Pentesty · Data Breach · Pharma · Source Code Leak

A group calling itself FulcrumSec says it stole roughly 1.3 TB of data from Novo Nordisk, the Danish pharmaceutical company behind Ozempic and Wegovy. After the company reportedly refused to pay a US$ 25 million ransom, the group started publishing a 264 GB sample of the haul. The leaked material allegedly includes source code, clinical trial records, employee and patient data, and the formula for Ozempic itself. The reported way in was a single GitHub token that gave the attackers two months of access to internal repositories before anyone noticed.<br>What makes this incident worth reading carefully is how ordinary the failure was. There is no zero-day, no nation-state operation, no novel technique. Just a credential that should not have been usable from outside, and no one watching the door.<br>What FulcrumSec Claims to Have<br>According to statements the group made to DataBreaches.Net and reporting from g1, the haul includes:<br>Source code and proprietary technical documentation for launched and unreleased medications.<br>The exact formula of Ozempic , plus material on other drugs in the pipeline.<br>Clinical trial records covering roughly 11,500 patients .<br>Personal data of thousands of employees, doctors, and patients .<br>Details about processing facilities and internal AI models used by the company.<br>The group says it pulled more than 700,000 files (about 1.3 TB), and so far released around 264 GB. It also said it will hold back employee and patient files for now, which is the usual leverage point in pay-or-leak extortion. We covered that pattern in detail in our breakdown of the ShinyHunters extortion methodology.<br>Novo Nordisk confirmed on June 11 that it suffered a cybersecurity incident involving unauthorized access to a limited number of internal systems and to personal data of some clinical-trial patients. The company told Reuters it is “in contact with the competent authorities” and that its main platforms are running normally.<br>How They Got In: One GitHub Token, Two Months of Access<br>According to FulcrumSec, the access started in March with a GitHub personal access token that allowed them to clone internal repositories. From there they stayed inside the environment for roughly two months before exfiltrating most of the data.<br>The group also went out of its way to mock the company, claiming that critical systems were protected by passwords like “novo123”. Whether that exact string is accurate or not, the larger picture is hard to argue with. When one developer credential opens the door to source code, internal AI models and customer data, most of the rest of a security program stops mattering.<br>The shape of this attack has been showing up all year. A leaked token with too much scope, no alerting on unusual repository access, and weeks of dwell time before anyone notices. The same dynamics appear in our cloud misconfiguration analysis for 2026 and in the wave of AI-powered attacks that now automate the search for these footholds.<br>Why a Drug Formula Leak Is Different<br>When customer data leaks from a delivery app or a learning platform, the damage is real, but most of it plays out downstream as phishing, account takeover and fraud. A pharmaceutical IP package is a different kind of problem.<br>Intellectual property does not get rotated. A password can be changed in an afternoon. A formula, once public, stays public.<br>Counterfeit risk grows. Detailed formulation and process documentation makes it easier for illegal manufacturers to produce injectables that millions of patients depend on.<br>Trial subjects sit in a fragile position. Clinical trial data often links a name to a specific medical condition. That combination is useful for blackmail, insurance discrimination and targeted phishing. The downstream risk is similar to what we wrote about in the iFood leak analysis, except with health context attached.<br>Internal AI models become a second attack surface. Model weights, training data and prompts in the wrong hands give competitors and threat actors a starting point that took the original team years to build.<br>What Engineering Teams Should Take from This<br>The fixes that would have prevented this incident are well known. They keep getting skipped because they are boring and because nothing breaks when you skip them, until something breaks badly.<br>Treat source-code credentials as crown jewels<br>Personal access tokens, deploy keys and CI tokens are bearer credentials with read access to your intellectual property. Short expirations, narrow scopes, IP allowlists and SSO-backed enterprise accounts should be the default. Rotate often, and revoke on offboarding the same day.<br>Kill weak and shared passwords at the source<br>“novo123” is easy to laugh at, but the...