Foxconn Hit by Nitrogen Ransomware — 11M Files Across Apple, NVIDIA, Google

The world's largest contract electronics manufacturer just got ransomwared, and the Nitrogen group claims 8 terabytes of design files spanning Apple, NVIDIA, Google, Intel, and Dell projects — turning the year's biggest manufacturing breach into a multi-customer supply chain risk story.

MOUNT PLEASANT, WI — Foxconn confirmed on May 12, 2026 that some of its North American factories were hit by a cyberattack. The Nitrogen ransomware group claimed responsibility one day earlier, listing Foxconn on its dark web leak site and asserting it stole 8 terabytes of data comprising more than 11 million files. Per the leak post, the stolen archive includes "confidential instructions, projects, and drawings from Intel, Apple, Google, Dell, Nvidia, and many other projects." The attack centered on Foxconn's Mount Pleasant, Wisconsin facility — the AI server production hub recently expanded with $569 million in investment.

Network outages at Mount Pleasant began around 3:30 AM ET on May 1, 2026, with third-shift workers stopping production. Wi-Fi was cut off at 7 AM ET, and managers sent first-shift workers home by 11 AM ET. Production was disrupted for approximately a week before resuming around May 12. The downstream supply chain implications matter beyond conventional ransomware: Foxconn is the contract manufacturer behind essentially every Apple iPhone, much of NVIDIA's AI server hardware, and significant Google, Intel, and Dell infrastructure. The breach lands inside the broader 2026 ransomware sweep affecting critical infrastructure adjacencies, including West Pharmaceutical Services' disruptive ransomware disclosure earlier this month.

The Mount Pleasant outage week

The operational picture at Mount Pleasant reads like a textbook ransomware response. Third-shift workers stopped production at 3:30 AM ET on May 1 when the network went down. First-shift workers arrived at 7 AM ET to find no Wi-Fi. Managers sent them home by 11 AM ET. For the next week, timecard terminals were dead and employees filled out paper timesheets. One unnamed worker told ThreatAft: "We were told to turn off our computers and not log back in under any circumstances. The timecard terminals were dead. We were filling out paper timesheets just to track our hours." Foxconn confirmed production was resuming as of May 12.

The targeting of the Mount Pleasant facility is operationally significant. Mount Pleasant is the Wisconsin hub of Foxconn's AI server production, expanded with $569 million in capital investment as recently as the past 18 months. AI server manufacturing for NVIDIA and downstream cloud customers runs through this facility. A week of disrupted production is meaningful at this site in a way it wouldn't be at a more generic assembly plant. Alex Holden, founder of Hold Security, told TMJ4 the breach is "not a total breach of Foxconn cybersecurity systems. It seems to be a localized breach based on the amount of data stolen or claimed to be stolen." Localized or not, the customer-facing impact is the same: design files from at least five major customers are now claimed exfiltrated.

Nitrogen ransomware: Conti-derived, financially motivated, and broken

Nitrogen is a financially motivated ransomware operation that emerged in 2023, built on a builder based on the now-defunct Conti ransomware. Barracuda Networks describes the group as "a sophisticated and financially motivated threat group that was first observed as a malware developer and operator in 2023." The group operates a double-extortion model — encrypt files and threaten to leak exfiltrated data unless paid — and researchers have flagged possible operational ties to BlackHat/ALPHV.

There is one structural quirk in Nitrogen tradecraft that matters for negotiation strategy. Coveware research has documented that Nitrogen's ESXi encryptor has a critical flaw: during encryption, file public keys get corrupted. Even victims who pay the ransom cannot reliably receive working decrypted files. For incident responders, this changes the negotiation math. The leverage Nitrogen claims to hold over encrypted-data restoration may be illusory; the only real leverage is the leak threat over exfiltrated data. Defenders weighing payment should assume any operational restoration claim is unreliable.

The contract manufacturer vendor-risk story defenders haven't been pricing in

Foxconn's named customers — Apple, NVIDIA, Google, Intel, Dell, AMD — sit upstream of the Foxconn manufacturing relationship. Each holds proprietary designs, schematics, BOMs, and component specifications at Foxconn for manufacturing execution. The 11 million files Nitrogen claims to have exfiltrated, if authentic, would include technical drawings and project documentation from at least five of those customers. AppleInsider's analysis of the Nitrogen post specifically concluded: "It does not look like Nitrogen obtained any Apple schematics, documentation related to Foxconn's Apple product development teams, or Apple quality control data." The same analysis flagged confidential AMD, Google, and Intel projects as at risk of exposure. Mark Henderson of AppleInsider noted that "the topology specs for Google and Intel are the real concern."

The strategic frame for CISOs is that contract manufacturers — typically lower-priority entries in vendor risk registers — hold concentrated downstream-customer IP. Foxconn, Pegatron, Quanta, Compal, Wistron, and Inventec collectively manufacture much of the world's consumer electronics and AI hardware. Their security postures affect every customer they serve. The pattern echoes the broader supply chain trust crisis defenders have been tracking through 2026, including the Mini Shai-Hulud npm worm and CISA's CI Fortify guidance for critical-infrastructure operators — except this time the trust failure runs through physical manufacturing supply chains rather than software ones.

The CyberSignal Analysis

Signal 01 — Contract manufacturer security is a vendor-risk register gap most organizations have

Most enterprise vendor risk programs treat contract manufacturers as procurement relationships, not security relationships. The Foxconn case is documented evidence that this framing is incomplete. A contract manufacturer with poor security posture is a documented IP exposure point — and the customer organizations bear the downstream consequences (design exposure, competitive intelligence loss, regulatory disclosure, trade secret litigation). CISOs at organizations that contract manufacturing to Foxconn, Pegatron, Quanta, or peers should treat the May 12 disclosure as the trigger for a contract manufacturer security review this quarter. The specific questions to ask: which proprietary data sits at the contract manufacturer, what is their incident-response and breach-notification posture, and what does your contract say about indemnification and notification timing?

Signal 02 — Manufacturing OT outages now cost about a week at affected facilities, with cascading supplier impact

The Mount Pleasant operational shutdown produced about a week of lost production at a major AI server facility. Apply the pattern to your own operational footprint: if a single facility loses a week of production to ransomware, what's the cascading impact on your customer delivery commitments, on your downstream supplier schedules, on your revenue recognition, and on your customer relationships? Foxconn is large enough to absorb a one-facility outage; many manufacturers are not. Pre-script the multi-day OT outage scenario in your business continuity playbook this quarter. Paper-based backup processes, manual workflows, and backup time-tracking systems are not novel asks — they are the tested resilience patterns the Mount Pleasant workforce just demonstrated.

What to do this week

1. Engage your contract manufacturers for a specific impact statement. If your organization uses Foxconn, Pegatron, Quanta, Compal, Wistron, Inventec, or peers, request specific information about which of your products' data sits at the contract manufacturer, what security controls protect it, and what breach-notification commitments you have. Generic "production resuming" framing is not enough.
2. Audit your IP exposure at contract manufacturers. Inventory the schematics, drawings, BOMs, and proprietary specifications stored on contract manufacturer systems. Document the data minimization rationale — what specifically must be there versus what could be retained in-house. The data minimization principle California just enforced against GM applies to manufacturing relationships too.
3. Update your vendor risk register to reflect contract manufacturer security as a documented attack surface. Request SOC 2 reports, penetration testing summaries, and incident response documentation from critical contract manufacturers. Establish breach notification SLAs in contract amendments.
4. Pre-script the multi-day OT outage scenario. If your operations sit at a single facility, document what one week of downtime means for revenue, customer delivery, and downstream suppliers. Paper-based fallback processes are tested resilience patterns; the Mount Pleasant workforce just demonstrated them under live conditions.
5. Brief boards on the contract manufacturer concentration question. The Foxconn case demonstrates that supply chain cyber risk extends beyond software supply chains into physical manufacturing. Update your strategic risk briefing accordingly and consider whether your contract manufacturer portfolio is sufficiently diversified.

Sources