LAPSUS$ Says It Stole 3 GB of AstraZeneca Code and Secrets, Offers Files for Sale

The cyber-crime gang LAPSUS$ has resurfaced with a bold claim: it broke into the systems of pharmaceutical giant AstraZeneca and walked away with almost three gigabytes of sensitive internal material, including source code, cloud credentials and employee data. Screenshots posted on the group’s own site and a well-known hacker forum show file trees stamped with AstraZeneca branding and a price list that invites the highest bidder to take possession of the archive.

What the hackers say they took

In a terse advertisement the group says the haul contains:

• Full source code written in Java, Angular and Python
• Cloud infrastructure blueprints for AWS, Azure and Terraform
• Private keys, vault secrets and API tokens
• Employee-related data sets that include cost-centre codes and GitHub Enterprise permissions

The post is accompanied by a session ID that prospective buyers can use to negotiate privately. LAPSUS$ has used the same tactic in previous breaches, releasing snippets to prove legitimacy and then demanding large cryptocurrency payments for the complete set.

Independent review of the leaked samples

Hackread.com downloaded the teaser archive and sorted the files into three categories: GitHub exports, third-party vendor documents and financial spreadsheets. Each folder contains enough metadata to run a quick authenticity check.

GitHub Enterprise export
The largest folder holds 42,000 JSON records that map AstraZeneca e-mail addresses to GitHub usernames, organisation roles and two-factor-authentication status. The data structure mirrors the REST output GitHub Enterprise Server produces when an administrator requests a user audit. Crucially, the cost-centre codes match internal budget units that have never been published on public repositories, making simple scraping an unlikely source.

Third-party supplier files
A second folder stores configuration templates for a clinical-trial platform run by an external vendor. The templates reference internal AstraZeneca domain accounts and contain hard-coded authentication tokens. Because the vendor’s name is not widely associated with AstraZeneca in open sources, the files strengthen the argument that the attackers had privileged access rather than merely recycling old dumps.

Financial spreadsheets
The smallest folder, only 190 MB, lists budget line items for 2023 cloud subscriptions. Column headers follow AstraZeneca’s internal naming convention and include project codes that correspond to drug-development programmes the company disclosed in annual filings. While the monetary values are not sensitive on their own, the spreadsheets confirm the archive spans more than one department.

How LAPSUS$ operates and why companies keep getting hit

Security researchers tracking the group say its playbook relies on three steps:

1. Harvest employee credentials through large-scale phishing or by buying them from initial-access brokers.
2. Move laterally inside the victim’s cloud identity provider, looking for over-privileged accounts that can create new access keys.
3. Exfiltrate code repositories and configuration data, then threaten to leak or auction the material unless paid.

Because LAPSUS$ often targets software supply-chain assets, the fallout can extend beyond embarrassment. Stolen source code can reveal zero-day vulnerabilities, while exposed Terraform files give attackers a road map to every database or storage bucket the company operates.

What AstraZeneca has said so far

When contacted, an AstraZeneca spokesperson provided a brief statement: “We are aware of the allegation and are investigating in collaboration with external cyber-security experts. At this time we have no evidence that patient data or core corporate systems have been compromised.” The company declined to confirm whether the 3 GB archive is genuine, citing an ongoing probe.

Regulatory filings show AstraZenica maintains cyber-insurance and has incident-response retainers with two global forensics firms. Under Europe’s GDPR rules, the firm has 72 hours from the moment it confirms personal-data exposure to notify regulators, a clock that may already be ticking.

What the incident means for the wider pharma sector

Drug makers sit on a trove of valuable data: proprietary molecule designs, clinical-trial results and manufacturing processes. The European Medicines Agency warned last year that state-sponsored hackers are targeting vaccine makers for precisely this intellectual property. A breach that exposes source code can accelerate reverse engineering of production systems or reveal weaknesses in how trial data is protected.

Cloud adoption has amplified the risk. Terraform and CloudFormation templates routinely hard-code secrets because engineers prioritise speed over security. Once attackers gain read access to a GitHub organisation, they can clone every repository, including historical commits that still contain old passwords.

Practical steps other firms can take now

• Audit every identity provider for dormant admin accounts and enforce phishing-resistant MFA.
• Move secrets out of source control into dedicated vaults such as AWS Secrets Manager or HashiCorp Vault, and rotate keys on a schedule.
• Turn on GitHub’s push-protection feature, which blocks commits that contain high-entropy strings resembling credentials.
• Segment cloud environments so that a single