#AxisOfEasy 450: Foxconn Hit by Nitrogen Ransomware, 8 TB of Client Data Stolen

Mark E. Jeftovic

Weekly Axis Of Easy #450

Last Week’s Quote was:  “Every argument of “because of the smartphone” or “the Internet” or “social media” is cope, to avoid confronting the catastrophic collapse of incumbent institutional competence over the same timeframe,” was by Marc Andreessen, who’s net worth is 1.9 billion.  No one got it.

This Week’s Quote:  “The problem with economic historians is that half of them are historians who don’t  know any economics, the other half are economists who don’t know any history!”  By ???

THE RULES:  No searching up the answer, must be posted at the bottom of this blog post, in the comments section.

The Prize:  First person to post the correct answer gets their next domain or hosting renewal on us.

This is your easyDNS #AxisOfEasy Briefing for the week of May 11th, 2026. Our Technology Correspondent Joann L Barnes and easyCEO Mark E. Jeftovic send out a short briefing on the state of the ‘net and how it affects your business, security and privacy.

To Listen/watch this podcast edition with commentary and insight from Joey and Len the Lengend click here.

In this issue:

  • Foxconn Hit by Nitrogen Ransomware, 8 TB of Client Data Stolen
  • ShinyHunters Goes Dark After Serbian Registry Suspends Clearnet Domain
  • npm Worm Hits 518M-Download Packages with Self-Destructing Malware
  • DHS Used a 1930 Customs Law to Unmask a Canadian Critic. The ACLU Is Fighting Back
  • Fake Claude Code Installer Caught Stealing Developer Credentials

Elsewhere Online:

  • Trellix and Checkmarx Face Security Breaches Linked to Source Code Access
  • Threat Actors Use AI to Generate Zero Day Code and Bypass Security
  • RubyGems Pauses New Signups Amid Major Malicious Package Attack
  • New Hacking Group Hijacks TeamPCP Victims to Steal Cloud Credentials
  • Microsoft Patches Five Critical Bugs With Near Maximum Severity Scores


Still fighting with the OpenClaw install?

Try easyClaw VPS (Beta) — 

Ready-to-go VPS with easyClaw preinstalled so you can deploy and operate faster. Get on the invite list.

Join early access→ https://invite.easyclaw.md

 

Foxconn Hit by Nitrogen Ransomware, 8 TB of Client Data Stolen

Foxconn confirmed a cyberattack on its North American factories after the Nitrogen ransomware gang claimed to have stolen 8 TB of data — over 11 million files — including confidential documentation and technical drawings linked to Apple, Nvidia, Intel, Google, and Dell.

Foxconn declined to confirm client data was compromised and says production is resuming. Critically, a programming error in Nitrogen’s decryptor makes file recovery impossible even if the ransom is paid. This marks Foxconn’s third ransomware attack, following incidents involving LockBit in 2024 and a Mexico subsidiary in 2022.

More via Theregister

ShinyHunters Goes Dark After Serbian Registry Suspends Clearnet Domain

On May 11, 2026, the Serbian National Internet Domain Registry (RNIDS) suspended shinyhunte.rs, the clearnet domain of notorious hacking group ShinyHunters. Whether RNIDS acted independently or at the FBI’s request remains unconfirmed.

The suspension followed ShinyHunters’ defacement of Instructure’s Canvas LMS, which disrupted classes at hundreds of universities worldwide, accompanied by ransom demands threatening stolen data leaks. Via their still-active Tor-based onion site, ShinyHunters warned the suspended domain could be hijacked and announced all future operations would move exclusively to dark web infrastructure.

More via Hackread

npm Worm Hits 518M-Download Packages with Self-Destructing Malware

Threat actor TeamPCP’s “Mini Shai-Hulud” campaign has compromised 170+ npm and PyPI packages — including TanStack, Mistral AI, OpenSearch, and Guardrails AI — across 518 million cumulative downloads. The injected malware steals credentials from cloud, crypto, and CI systems, persists inside Claude Code and VS Code, and exfiltrates data to 400+ attacker-controlled GitHub repositories.

A dead-man’s switch wipes the developer’s machine if the attacker’s npm token is revoked. The TanStack compromise (CVE-2026-45321, CVSS 9.6) is the first npm worm to produce valid SLSA Build Level 3 provenance attestations. The Mistral AI package carries a 1-in-6 chance of full system wipe when deployed in Israel or Iran.

More via Thehackernews

DHS Used a 1930 Customs Law to Unmask a Canadian Critic. The ACLU Is Fighting Back

An anonymous Canadian man has sued DHS Secretary Markwayne Mullin after the agency issued a warrantless summons demanding Google reveal his identity, location, and private communications.

DHS cited the Tariff Act of 1930 — a customs fraud statute — to obtain records tied to his Gmail and X accounts, targeting posts criticizing the government following federal agents’ killing of Renee Good and Alex Pretti in Minneapolis. Doe hasn’t entered the U.S. since 2015. The ACLU, noting DHS has withdrawn three prior subpoenas before judicial review, is pushing for a binding legal precedent this time.

More via Reclaimthenet

Fake Claude Code Installer Caught Stealing Developer Credentials

Ontinue’s Cyber Defence Centre has uncovered a malware campaign targeting developers through sponsored search results linking to a fake Claude Code installation page at events.msft23.com.

The downloaded PowerShell script steals credentials from major Chromium browsers, bypasses Google’s encryption protections via process hollowing, and exfiltrates passwords, cookies, and payment data to mt7263.com. A scheduled task maintains persistent access. The payload matches no known malware family. Experts warn a single compromised developer workstation can expose an entire organization’s infrastructure.

More via Hackread

 

Elsewhere Online:

 

Trellix and Checkmarx Face Security Breaches Linked to Source Code Access
Read: https://www.securityweek.com/checkmarx-jenkins-ast-plugin-compromised-in-supply-chain-attack/


Threat Actors Use AI to Generate Zero Day Code and Bypass Security
Read: https://hackread.com/google-hackers-used-ai-develop-zero-day-exploit/


RubyGems Pauses New Signups Amid Major Malicious Package Attack
Read: https://thehackernews.com/2026/05/rubygems-suspends-new-signups-after.html


New Hacking Group Hijacks TeamPCP Victims to Steal Cloud Credentials
Read: https://techcrunch.com/2026/05/07/hackers-hack-victims-hacked-by-other-hackers/


Microsoft Patches Five Critical Bugs With Near Maximum Severity Scores
Read: https://www.darkreading.com/application-security/patch-tuesday-microsoft-zero-day-sight

 

 

Previously on #AxisOfEasy

If you missed the previous issues, they can be read online here:

Related Posts

#AxisOfEasy 389: What Did You Get Done Last Week?

What Did You Get Done Last Week? (From the desk of Mark Jeftovic, easyDNS CEO),
AI-Powered Phishing Scams: How Cybercriminals Use Deepfakes and Stolen Credentials to Hijack Accounts,
Private GitHub Repos Still Accessible via Microsoft Copilot, Security Firm Warns … this and more in AofE #389

2 thoughts on “#AxisOfEasy 450: Foxconn Hit by Nitrogen Ransomware, 8 TB of Client Data Stolen

Leave a Reply

Your email address will not be published. Required fields are marked *