Foxconn confirmed last week that an unauthorized intrusion affected its North American operations, including manufacturing facilities in Mount Pleasant, Wisconsin and Houston, Texas. The Nitrogen ransomware group claimed responsibility the following day, posting on its dark-web leak site that the group exfiltrated approximately eight terabytes of data and more than 11 million documents, including confidential project documentation and technical drawings tied to Apple, Nvidia, Intel, Google, and Dell.
Foxconn has not commented on the specific data claims. The company has confirmed that operations at the affected facilities were temporarily disrupted and that the company is working with external forensic specialists and law enforcement. Production has since resumed at affected sites, though the company has declined to detail the recovery procedure or whether ransom negotiations took place.
Nitrogen, active since 2023, is believed to be built on leaked Conti version 2 builder code and has been linked by multiple researchers to overlapping infrastructure with the ALPHV/BlackCat ecosystem. The group runs a double-extortion model: encrypt the victim’s systems, exfiltrate the data, and publish portions of it on a leak site as pressure during ransom negotiations. The leak-site post in this case includes screenshots that appear consistent with the kinds of supplier-level documentation a contract manufacturer would hold.
For security leaders at the major OEMs whose names appeared in the leak post, the operational question is real. Contract manufacturers and other supply-chain intermediaries hold an enormous volume of design, engineering, and roadmap data that the original equipment manufacturers themselves treat with the strictest internal controls. The third-party risk programs that govern these relationships have, in many cases, not been updated to reflect the threat environment of 2025-2026.
The broader lesson is one the industry has been resisting for years. Contract manufacturers and other tier-one suppliers are increasingly the soft path to high-value intellectual property, and the response from OEMs has largely been to add contractual indemnification clauses rather than to substantively improve the cybersecurity posture of the supply chain. The Foxconn incident is likely to accelerate a different conversation: should the OEMs underwrite the security investments their largest suppliers require? Several CISO communities are already discussing the question.
Watch for downstream disclosure requirements from the OEMs named in the leak post, and for the inevitable wave of phishing campaigns that will use the leak as pretext over the next 60 days.
