New Extortion Group "Pink" Targets Organizations with Vishing and Cloud Data Theft A recently identified extortion group, tracked as Pink, is leveraging voice phishing (vishing) and fake IT help-desk calls to infiltrate corporate networks, steal sensitive data, and demand ransom payments. First detected by Palo Alto Networks’ Unit 42, the group classified as cluster CL-CRI-1147 launched its data-leak site on May 31, 2026. Pink’s tactics mirror those of other cybercriminal collectives, including Lapsus$, Scattered Spider, and ShinyHunters, which have previously targeted high-profile organizations like Nvidia, Microsoft, Okta, MGM Resorts, and AT&T. These groups typically impersonate IT staff or employees to phish credentials and bypass multi-factor authentication (MFA), then exfiltrate data from cloud storage platforms such as SharePoint and OneDrive. Unit 42 analysts linked Pink to The Com, a loosely organized network of hackers, SIM swappers, and extortionists, some of whom have ties to violent crime. After monitoring multiple extortion attacks, researchers observed Pink’s operators re-engaging with a victim on June 1, 2026, via a free webmail account, providing a new qTox ID and a leak site under the Pink brand. The group sets a 72-hour deadline for ransom negotiations before leaking stolen data. Once inside a victim’s environment, Pink exfiltrates files and uses compromised accounts to send internal extortion messages via Microsoft Teams. The group reuses second-level domains for phishing, tailoring third-level domains to specific targets. Indicators of compromise include the domains passkeyadd[.]com, passkeydeploy[.]com, and deploypasskey[.]com, as well as IP addresses 185[.]178.208[.]153, 172[.]93.100[.]252, and 96[.]232.20[.]66. Observed user-agent strings during data exfiltration include Microsoft.Graph.Client/5.62.0 and python-requests/2.28.1.

Nvidia Patches 15 Security Flaws in Graphics Drivers, Including Nine High-Severity Vulnerabilities Nvidia has issued a security bulletin addressing 15 vulnerabilities in its Windows and Linux graphics drivers, nine of which are classified as high-severity. These flaws could enable attackers to compromise systems, gain administrative access, steal sensitive data, or execute arbitrary code. Affected users include owners of GeForce, Quadro, NVS, and Tesla GPUs. For Windows users with modern GeForce cards, driver versions prior to 596.36 are vulnerable, while those with GTX 10-series or older GPUs should update from versions before 482.53. The latest secure release, 596.49, was rolled out a week prior, and users with the Nvidia app installed may already have received the update. Linux users should upgrade to 590.48.01 or later, verifying their current driver version via `nvidia-smi` or `nvidia-settings`. Nvidia’s disclosure provides technical details for each vulnerability, though no active exploits have been reported at this time. Users are advised to apply updates through their respective OS package managers or Nvidia’s official channels.

ShinyHunters Claims Breach of NVIDIA GeForce NOW User Data During the week of May 2, 2026, the cybercrime group ShinyHunters advertised a purported database of NVIDIA GeForce NOW user records on an undisclosed cybercrime forum. The listing, which included sample records as evidence, claimed the dataset contained highly detailed user information, including full names, usernames, verified email addresses, dates of birth, membership status, subscription tiers, and two-factor authentication (2FA) enrollment flags. ShinyHunters described the 2FA field as metadata indicating which accounts had multi-factor authentication enabled. The group has not disclosed the total number of records, the asking price, or the specific forum hosting the listing. This follows the group’s established pattern of posting stolen data for sale with sample proofs. NVIDIA has not confirmed the breach. As of May 2, 2026, the company’s GeForce NOW status page listed only regional service delays in India and a maintenance notice for Call of Duty HQ, with no mention of a security incident. NVIDIA’s security advisories, including its GitHub-based PSIRT bulletins, also contained no references to a GeForce NOW data breach or ShinyHunters-related activity. ShinyHunters, active since 2019, has claimed responsibility for breaching approximately 100 high-profile companies and 300–400 organizations since September 2025, primarily by exploiting misconfigured Salesforce Experience Cloud guest user access controls. The group employs voice phishing and credential-harvesting tactics, often impersonating IT support to obtain single sign-on (SSO) credentials. In June 2025, law enforcement disrupted part of its operations with arrests in France and a guilty plea by a U.S.-based member. While the authenticity of the claimed breach remains unverified, the incident underscores ongoing risks associated with credential-based attacks and the potential exposure of sensitive user data.

GFN.AM Data Breach Exposes Personal Information of Early Registered Users On May 5, 2026, GFN.AM an authorized NVIDIA GeForce NOW cloud gaming service provider under "GFN CLOUD INTERNET SERVICES" LLC disclosed a data breach affecting users registered on or before March 9, 2026. Unauthorized access to the company’s backend database occurred nearly two months prior, with the intrusion detected on May 2, 2026, leaving a 54-day window for potential data exposure. The breach compromised a range of personal information, including: - Email addresses - Phone numbers (for mobile-registered users) - Dates of birth - Full names (for users who authenticated via Google Sign-In) - GFN.AM platform usernames While passwords were not exposed, the combination of leaked data particularly email addresses, phone numbers, and full names heightens risks of phishing, SIM swapping, and social engineering attacks. Users who signed in via Google are advised to review account activity due to the exposure of their full names. GFN.AM responded by securing its systems and implementing additional security measures, though the root cause whether a compromised credential, unpatched vulnerability, or misconfiguration remains undisclosed. The company has not confirmed whether affected users will receive individual notifications or if regulatory authorities have been informed. Security experts warn that the stolen data is valuable for cybercriminals, enabling targeted attacks even without password exposure. The incident underscores the growing threat of supply chain breaches, where third-party providers become entry points for attackers.

NVIDIA Patches Critical GPU Driver Vulnerabilities in High-Severity Update On January 27, 2026, NVIDIA released security updates addressing five high-severity vulnerabilities in its GPU Display Driver, vGPU platform, and HD Audio drivers, impacting millions of systems globally. The flaws, tracked under CVEs 2025-33217, -33218, -33219, -33220, and -33237, enable local privilege escalation, arbitrary code execution, and denial-of-service (DoS) attacks, with the most severe carrying a CVSS score of 7.8. The vulnerabilities stem from use-after-free and integer overflow conditions in kernel-mode components, allowing authenticated attackers to execute malicious code, gain system-level privileges, or disrupt operations without user interaction. CVE-2025-33220 poses a particularly high risk for enterprises, as it affects the vGPU Manager, enabling guest VMs to escape hypervisors and compromise host systems in cloud and data center environments. Affected products include GeForce, RTX, Quadro, NVS, and Tesla drivers across Windows and Linux, as well as vGPU software on XenServer, VMware vSphere, and Red Hat KVM. NVIDIA’s patches span multiple driver branches: - Windows: R590 (591.59), R580 (582.16), R570 (573.96), R535 (539.64) - Linux: R590 (590.48.01), R580 (580.126.09), R570 (570.211.01), R535 (535.288.01) - vGPU: 580.129.08 (XenServer), 570.211.01 (VMware), 535.288.01 (RHEL KVM) CVE-2025-33237, a medium-severity NULL pointer dereference in HD Audio drivers (CVSS 5.5), could also trigger DoS conditions. Exploitation requires only low-level local access, making these flaws attractive for lateral movement in compromised networks. NVIDIA credits researchers Kentaro Kawane, Sam Lovejoy, Valentina Palmiotti, and Thomas Keefer for responsible disclosure. Organizations are urged to prioritize updates, as unpatched systems remain exposed to kernel exploitation techniques commonly used in advanced persistent threat (APT) campaigns.

VoidLink Malware Framework Exposes Critical Gaps in Kubernetes and AI Workload Security In December 2025, Check Point Research disclosed VoidLink, a sophisticated Linux malware framework designed to infiltrate cloud-native and AI workloads, marking a shift in how threat actors target modern infrastructure. Developed by the previously unknown advanced persistent threat (APT) group UAT-9921 active since at least 2019 VoidLink is purpose-built for stealthy, long-term persistence in containerized and Kubernetes environments, rather than repurposed from legacy Windows tooling. The malware employs advanced evasion techniques, including rootkit-style tactics, in-memory execution, self-modifying code, and anti-analysis checks to remain fileless and undetectable by traditional security tools. It fingerprints its environment to identify major cloud providers (AWS, GCP, Azure, Alibaba, Tencent) and adapts its behavior based on whether it runs on bare metal, VMs, Docker containers, or Kubernetes pods. Once deployed typically via stolen credentials or exploited enterprise services like Java serialization flaws VoidLink harvests cloud metadata, credentials, and secrets, enabling command-and-control (C2), lateral movement, and internal reconnaissance. Cisco Talos highlighted VoidLink’s compile-on-demand capability, describing it as a near-production-ready foundation for AI-enabled attack frameworks that dynamically generate tools for operators. The framework’s design, deemed "defense contractor-grade," underscores a broader trend: adversaries are increasingly focusing on Kubernetes, microservices, and AI workloads as primary attack surfaces. Recent campaigns reflect this evolution. ShadowRay 2.0 and the TeamPCP worm have weaponized AI infrastructure, hijacking GPU clusters and Kubernetes environments to create self-propagating botnets using LLM-generated payloads and privileged DaemonSets. Meanwhile, container escape vulnerabilities like NVIDIAScape (CVE-2025-23266) demonstrated how minor Dockerfile misconfigurations could grant host-level root access, with researchers estimating exposure in over a third of cloud environments. The AI supply chain is also under siege, with threats ranging from LangFlow RCE enabling remote code execution and account takeovers to malicious Keras models executing arbitrary code when loaded from public repositories. Security researchers have identified nearly 100 poisoned machine-learning models on trusted platforms, revealing how even "safe" AI assets can conceal backdoors. Industry data underscores the urgency: Red Hat reports that 90% of organizations experienced at least one Kubernetes security incident in the past year, while container-based lateral movement in Kubernetes environments surged in 2025. VoidLink’s evasion tactics encrypting code, operating in memory, and tampering with user-space observability exploit a critical blind spot in many security programs. Traditional detection methods, reliant on user-space agents and log-based monitoring, struggle to counter threats designed to bypass them. To address this gap, runtime security solutions like Hypershield developed by Isovalent (now part of Cisco) leverage eBPF to provide kernel-level observability and enforcement. By deploying eBPF programs in the Linux kernel, Hypershield monitors process execution, syscalls, file access, and network activity in real time, mapping events to Kubernetes namespaces, pods, and workload identities. Cisco’s analysis demonstrates how Hypershield can track and mitigate VoidLink across its kill chain, circumventing the malware’s evasion tactics by detecting behavior directly at the kernel level. The rise of VoidLink and similar threats such as AI-driven botnets and supply chain exploits highlights a stark reality: many organizations lack visibility and control within Kubernetes environments, where AI models and core business workloads operate. While investments in endpoint, identity, and cloud monitoring have grown, they have not kept pace with the shift to workload-centric security. Integrating kernel-level runtime telemetry into SOC workflows is now critical to detecting and containing these attacks in real time. Cisco’s approach combines Hypershield’s eBPF-based enforcement with platforms like Splunk to correlate workload signals with broader security operations, offering a model for defending against cloud-native, AI-aware threats.

Nvidia advised customers to ensure mitigations against Rowhammer attacks after researchers found one of its workstation-grade GPUs is susceptible. The advisory noted that researchers at the University of Toronto demonstrated a successful Rowhammer exploitation on a NVIDIA A6000 GPU with GDDR6 memory where System-Level ECC was not enabled. The company recommended customers ensure System-Level ECC is enabled on many models in its Blackwell, Ada, Hopper, Ampere, Jetson, Turing, and Volta products.

Critical Vulnerability in NVIDIA NSIGHT Graphics for Linux Exposes Systems to Arbitrary Code Execution NVIDIA has released an urgent security update to address a high-severity vulnerability (CVE-2025-33206) in NSIGHT Graphics for Linux, which could allow attackers to execute arbitrary code on affected systems. The flaw, rated with a CVSS score of 7.8, stems from improper input validation in command processing (CWE-78), enabling attackers to inject malicious commands. To exploit the vulnerability, an attacker must have local system access and trick a user into performing a specific action. Once triggered, the flaw could lead to unauthorized code execution, privilege escalation, data tampering, or denial-of-service (DoS) attacks, posing significant risks to confidentiality, integrity, and system availability. Affected Systems & Remediation All versions of NVIDIA NSIGHT Graphics for Linux prior to 2025.5 are vulnerable. Organizations are advised to upgrade immediately to version 2025.5 or later to mitigate the risk. Until patches are applied, restricting local access and enforcing the principle of least privilege can help reduce exposure. Additional details are available on NVIDIA’s official Product Security page.

NVIDIA Patches High-Severity Vulnerabilities in CUDA Toolkit NVIDIA has released a critical security update addressing four high-severity vulnerabilities in its CUDA Toolkit, which could enable attackers to execute arbitrary code, escalate privileges, and compromise system integrity. The flaws impact NVIDIA Nsight Systems and Nsight Visual Studio Edition development tools widely used by researchers, engineers, and data center administrators. The vulnerabilities, disclosed on January 20, 2026, include command injection and DLL loading flaws with CVSS scores ranging from 6.7 to 7.3. The most severe issue (CVE-2025-33228) affects NVIDIA Nsight Systems, allowing attackers to inject OS commands via malicious input in the gfx_hotspot recipe’s process_nsys_rep_cli.py script, leading to code execution with elevated privileges. Other vulnerabilities include: - CVE-2025-33230: A command injection flaw in the Linux installer of Nsight Systems, where malicious installation paths can trigger arbitrary command execution. - CVE-2025-33231: An uncontrolled DLL search path vulnerability in Windows, enabling attackers to load malicious DLLs with application privileges. - CVE-2025-33229: A privilege escalation flaw in Nsight Visual Studio Edition’s Monitor component, allowing local attackers to execute code at elevated privileges. Affected versions include CUDA Toolkit up to 13.1 on both Windows and Linux. NVIDIA has released patches in the latest update, urging users to upgrade immediately. Unpatched systems remain at risk, particularly in research institutions, AI development teams, and data centers handling sensitive workloads. The vulnerabilities were responsibly disclosed by security researcher pwni. Organizations are advised to prioritize patching, especially in environments processing proprietary models or classified data. Additional details are available on NVIDIA’s [Product Security page](https://nvidia.com/security).

A critical vulnerability chain in NVIDIA's Triton Inference Server allows unauthenticated attackers to achieve complete remote code execution (RCE) and gain full control over AI servers. The attack exploits the server's Python backend through shared memory manipulation, leading to potential theft of proprietary AI models, exposure of sensitive data, and manipulation of AI responses. The vulnerability chain, identified as CVE-2025-23319, CVE-2025-23320, and CVE-2025-23334, poses significant risks to organizations using Triton for AI/ML operations, threatening intellectual property and operational security.

NVIDIA Patches Critical Command Injection Flaw in NSIGHT Graphics for Linux NVIDIA has issued an urgent security update to address a high-severity vulnerability (CVE-2025-33206) in NSIGHT Graphics for Linux, which could allow attackers to execute arbitrary code via command injection. The flaw affects all versions prior to 2025.5 and poses significant risks to development and graphics analysis workflows. The vulnerability, classified under CWE-78 (Improper Neutralization of Special Elements in OS Commands), carries a CVSS score of 7.8, indicating high impact on confidentiality, integrity, and availability. Exploitation requires local access and user interaction but no special privileges, making it accessible to threat actors with basic system access. Successful attacks could lead to unauthorized code execution, privilege escalation, data manipulation, or system compromise, potentially enabling theft of proprietary algorithms or persistent network access. Affected systems include all Linux deployments of NSIGHT Graphics before version 2025.5. Organizations using the tool for rendering optimization, performance analysis, or graphics profiling are urged to update immediately. NVIDIA notes that environments with restrictive local access controls or isolated workstations face lower exposure risks compared to shared development infrastructure. The patch (version 2025.5) is now available for download. While no active exploits have been reported, the vulnerability underscores the need for heightened scrutiny in graphics development pipelines.

A critical flaw, CVE-2024-0132, in NVIDIA’s Container Toolkit has remained exploitable due to an incomplete patch, leaving AI infrastructure and sensitive data at risk. This vulnerability, coupled with a newly found Docker DoS flaw on Linux, endangers systems by potentially letting attackers steal AI models, disrupt operations, or execute DoS attacks. The initial patch provided by NVIDIA was later found to be inadequate for versions 1.17.3 and below, and conditionally for 1.17.4, making them susceptible to breaches and command execution with root privileges. The Docker issue can result in CPU usage spikes and SSH access loss, disrupting services and rendering systems unresponsive. The exposure primarily affects organizations using these tools for AI or cloud workloads, including industries like healthcare, finance, and autonomous systems.

Ransomware Evolves: From Encryption to Data Extortion and Corruption Cybercriminals behind ransomware attacks are shifting tactics, moving away from traditional full encryption toward faster, more flexible extortion methods. This evolution reflects a broader trend where threat actors prioritize efficiency, leverage stolen data, and adapt to defensive measures creating a spectrum of data-destructive techniques. ### The Shifting Ransomware Landscape Once defined by full data encryption, ransomware operations now encompass a range of strategies, from pure data theft to partial or intermittent encryption. This shift is driven by the need for speed, reduced detection risk, and the growing profitability of extortion. Ransomware-as-a-Service (RaaS) programs have further lowered the barrier to entry, enabling even low-skilled actors to launch sophisticated attacks with support structures akin to legitimate businesses. ### The Spectrum of Data Extortion Modern ransomware operators now occupy different positions on a "data destructiveness" spectrum: - No Encryption, Pure Extortion: Groups like Karakurt and Lapsus$ bypass encryption entirely, instead stealing sensitive data and threatening to leak or auction it. Karakurt, linked to the defunct Conti syndicate, targets organizations across industries by exploiting vulnerabilities in exposed services (e.g., outdated Fortinet VPNs) or purchasing access from initial access brokers (IABs). Lapsus$, known for high-profile breaches (Nvidia, Samsung, Okta, Microsoft), relies on stolen credentials, phishing, and social engineering including SIM-swapping to bypass multi-factor authentication (MFA). Unlike Karakurt, Lapsus$ also seeks notoriety alongside financial gain. - Data Corruption: Some actors, like those using the Exmatter tool, corrupt files by replacing chunks of data with unrelated content. This method is faster than encryption, harder to reverse, and eliminates the risk of decryption tools being developed by researchers. Corruption also avoids the technical complexities of encryption, reducing the chance of implementation flaws. - Partial Encryption: Ransomware families like BlackCat, BlackBasta, Agenda, Qyick, and the newer Royal employ intermittent encryption, targeting only portions of files. This approach speeds up attacks especially for large files while evading detection by security tools that monitor file I/O intensity or entropy changes. Royal, for example, skips encrypting blocks of data based on operator-defined parameters, balancing speed and impact. ### Why the Shift? Several factors drive this evolution: - Speed: Full encryption is time-consuming and increases the risk of detection. Partial encryption or corruption allows attackers to move quickly, demanding ransoms before defenses can respond. - Leverage: Stolen data alone can be enough to extort victims, particularly if it includes sensitive or proprietary information. Threatening leaks or auctions adds pressure without the need for destructive payloads. - Avoiding Decryption: Corruption and partial encryption reduce the likelihood of security researchers developing decryption tools, as seen with past ransomware strains like Lorenz and MafiaWare666. - Hybrid Models: Some actors may switch between pure extortion and destructive techniques based on the value of stolen data, adopting a flexible approach to maximize payouts. ### Future Trends The ransomware ecosystem is expected to diversify further, with: - More extortion-only groups emerging, particularly those targeting high-value data without deploying ransomware. - Increased use of corruption and partial encryption to balance speed and impact. - Hybrid attacks where actors combine data theft with selective destruction, tailoring their approach to the victim’s profile. This shift underscores the professionalization of cybercrime, where threat actors refine tactics to evade defenses, exploit vulnerabilities, and maximize profits whether through encryption, corruption, or pure extortion. As the landscape evolves, defenders must adapt to a broader range of attack methods beyond traditional ransomware.

America-based microchip company Nividia was recently hit by a cyber attack. The company's internal systems including email and developer tools were completely compromised. As for now, no data leak has been reported and the company has shut down its systems to contain the attack.

RansomHub Claims Theft of Sensitive Data from Luxshare, Impacting Apple, Nvidia, and Other Tech Giants The RansomHub ransomware-as-a-service operation has alleged a breach of Luxshare, a key Chinese manufacturer supplying components for Apple, Nvidia, Tesla, LG, and other major tech firms. According to a post on RansomHub’s leak site, the attack occurred on December 15, resulting in the theft of highly sensitive data. The stolen archives reportedly include 3D CAD product models, engineering documentation, Parasolid files, 2D CAD drawings, mechanical and electrical design data, PCB manufacturing files, and confidential repair and shipping project details linked to Apple and Luxshare. A sample analysis revealed personally identifiable information (PII) of individuals involved in projects spanning 2019 to 2025. While Luxshare has not confirmed the breach, the exposed data could enable counterfeit manufacturing and uncover supply chain vulnerabilities, potentially leading to further cyber intrusions. The incident underscores the risks of third-party supplier breaches in global tech supply chains.

Luxshare Hit by RansomHub Ransomware Attack, Exposing Sensitive Tech Data A major data breach at Luxshare, a critical Apple supplier based in China, has been claimed by the ransomware group RansomHub. The attackers allege they stole highly sensitive engineering and business data, including confidential information tied to Apple, Nvidia, LG, Tesla, and other tech giants. According to posts on a dark web forum last month, the stolen data includes 3D CAD models, engineering designs, device repair details, shipping timelines, and PCB manufacturing files, with records dating from 2019 to December 2025. The breach may also contain personal identifiable information (PII) of employees involved in these projects, including Apple staff collaborating with Luxshare. RansomHub accused Luxshare of attempting to conceal the incident internally, urging the company to engage with them to prevent public leaks. The group warned that the data could be used for reverse engineering, counterfeit production, or supply chain attacks, exposing hardware vulnerabilities and chip designs. If confirmed, the breach could have severe implications for Luxshare and its partners, potentially enabling competitors to bypass years of R&D or exploit firmware weaknesses. Neither Luxshare nor Apple has publicly acknowledged the attack. Luxshare plays a pivotal role in manufacturing key Apple products, including the iPhone, Apple Watch, and AirPods. The full extent of the breach remains unclear, but the exposed data could impact future product security and industry competition.

Luxshare Hit by Ransomware Attack, Exposing Sensitive Apple and Client Data In December 2025, Luxshare, a key Apple supply chain partner, suffered a ransomware attack that resulted in the theft of highly sensitive data. The breach, which occurred on December 15, was later claimed by the hacking group RansomHub, which posted the stolen files for sale on the dark web. The attackers allege they obtained a trove of confidential documents, including 3D CAD models, engineering schematics, product repair and shipping timelines, and personal data of employees dating back to 2019. Among the compromised files were Gerber and .dwg design files, as well as electronic and mechanical component documentation critical assets for product manufacturing. Luxshare, a contract manufacturer, works with multiple major tech firms, and the stolen data reportedly includes proprietary information from Apple, Nvidia, LG, Geeky, and Tesla. For Apple, Luxshare has been involved in projects such as iPhone, MacBook, and Apple Watch production, making the breach particularly damaging. The implications of the attack are far-reaching. Competitors could exploit the leaked designs to reverse-engineer products or develop counterfeits, while cybercriminals may use the data to identify new vulnerabilities in Apple’s hardware. Though the breach does not directly affect end users, it could disrupt supply chains, leading to production delays or security risks in future Apple devices. Neither Luxshare nor Apple has officially acknowledged the incident, but the leaked files appear legitimate, raising concerns about the broader impact on the tech industry’s supply chain security.

RansomHub Breach Exposes 1TB of Apple and Tech Giants’ Confidential Data In December 2024, Luxshare a key Apple manufacturing partner based in Shenzhen, China suffered a major ransomware attack by the cybercriminal group RansomHub, resulting in the theft of over 1TB of sensitive data. The breach, disclosed on a dark web forum on December 15, 2024, allegedly includes confidential files from Apple, Nvidia, Tesla, LG, and other tech companies, with attackers threatening to leak the data unless an undisclosed ransom is paid. The stolen material spans projects from 2019 to 2025 and includes highly sensitive engineering documents, such as 3D CAD models, circuit board layouts, mechanical component designs, and internal repair procedures. The leak also contains personally identifiable information (PII) of employees involved in Apple projects, including names, job titles, and work email addresses. Security experts warn that the exposed data could enable reverse engineering of Apple products, facilitate counterfeit manufacturing, and reveal hardware vulnerabilities for future exploits. Access to detailed circuit board specifications may also aid in developing firmware attacks or supply chain compromises, while the leaked employee data increases the risk of targeted phishing campaigns. Luxshare, which employs over 230,000 workers and generates $37 billion in annual revenue, plays a critical role in Apple’s supply chain, assembling iPhones, AirPods, Apple Watches, and Vision Pro headsets. The company’s prominence grew after production disruptions at Foxconn, Apple’s primary assembler. RansomHub, first identified in 2024, has rapidly become one of the most active ransomware groups, targeting industrial manufacturing and healthcare sectors. The group emerged following the shutdown of ALPHV (BlackCat) and, according to a CISA advisory, breached nearly 500 victims in 2024 alone. Neither Apple nor Luxshare has confirmed the breach or responded to the attackers’ claims.

Luxshare Hit by Alleged Ransomware Attack, Exposing Sensitive Data from Apple, Nvidia, and Others In December, Luxshare Precision Industry a major Chinese electronics manufacturer and key Apple supplier was reportedly targeted in a ransomware attack. The threat actors, operating under the RansomHouse group, claim to have encrypted company systems and exfiltrated sensitive data tied to multiple high-profile customers. As proof, the attackers leaked samples of stolen R&D data, including internal documentation, employee records, and product design files spanning 2019 to 2025. The compromised materials appear to cover Apple-Luxshare manufacturing workflows, as well as proprietary engineering data linked to Nvidia, LG, Geely, Tesla, and other global tech firms. Among the stolen files are 3D CAD models, high-precision geometric data, 2D component drawings, PCB designs, and confidential engineering schematics all protected under non-disclosure agreements. The attackers publicly urged Luxshare to engage with them, warning that failure to do so would result in further leaks of confidential projects. Neither Luxshare nor Apple has officially confirmed the breach, though cybersecurity analysts suggest the leaked evidence appears legitimate. Security experts warn that if verified, the incident represents a significant intellectual property breach with far-reaching consequences. Damon Small of Xcape Inc. noted that the theft of CAD designs, circuit board layouts, and product files could enable industrial espionage or counterfeit operations, extending risks beyond financial motives. The attack highlights vulnerabilities in the hardware supply chain, where a single breach at a major supplier can expose the trade secrets of multiple multinational corporations. The incident underscores the growing trend of ransomware groups targeting upstream suppliers to maximize data theft across interconnected industries. As manufacturing partners handle increasingly sensitive design files, their cybersecurity resilience becomes critical to protecting the competitive edge of global tech ecosystems.

On December 22, 2014, the California Office of the Attorney General reported a data breach at Nvidia Corporation that occurred on October 8, 2014. The breach involved unauthorized access to employee usernames and passwords, and no other data is reported to have been accessed.