Direction générale de la Comptabilité publique et du Trésor
May 10, 2026
•[ cyberattack, data exfiltration, leak site ]
Senegal's Direction gnrale de la Comptabilit publique et du Trsor reported an incident affecting part of its information systems beginning May 10, 2026 and activated continuity measures. Senegalese and cyber-specialist reporting later described the incident as a cyberattack, with AuditTeam claiming exfiltration of more than 70 GB of sensitive data and listing the target on a leak site. Public reporting did not confirm the full data set, final recovery date, or whether personal data was included.
Arbeitsgemeinschaft Wirtschaftlichkeitsprüfung Niedersachsen e.V. (Arwini)
May 5, 2026
•[ ransomware, data exfiltration, health information ]
Kairos ransomware actors attacked Arbeitsgemeinschaft Wirtschaftlichkeitsprfung Niedersachsen e.V. (Arwini), the prescription-review association for statutory health insurance prescriptions in Lower Saxony. Police confirmed Kairos was responsible, that ransomware was used to encrypt data, and that data exfiltration occurred. Potentially affected data included contact, health, and billing information for patients; more than 70,000 records may have been stolen, though the exact scope remained under investigation.
West Pharmaceutical Services
May 4, 2026
•[ ransomware, data exfiltration, encryption ]
West Pharmaceutical Services detected a ransomware intrusion on May 4, 2026. The company reported that attackers exfiltrated data and encrypted systems, prompting containment actions and disrupting manufacturing, shipping, and receiving operations across multiple global facilities. Public reporting did not identify the threat actor or specify the volume or type of exfiltrated data.
Undisclosed Malaysian government entity
April 30, 2026
•[ espionage, vulnerability exploitation, unpatched software ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Malaysian government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Tessco Technologies
April 30, 2026
•[ ransomware, data exfiltration, data leak ]
On April 30, 2026, the ransomware group PayoutsKing claimed to have exfiltrated and encrypted 615GB of data from Tessco Technologies, a U.S. wireless communications products distributor, including contact information for over 100,000 individuals and Salesforce records for more than 500,000 customers.
Undisclosed Pakistani government entity
April 30, 2026
•[ cyber espionage, Shadow-Earth-053, Microsoft Exchange ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Pakistani government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Undisclosed Thai government entity
April 30, 2026
•[ espionage, vulnerability exploitation, web shells ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Thai government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Undisclosed Sri Lankan government entity
April 30, 2026
•[ cyber espionage, Shadow-Earth-053, unpatched servers ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Sri Lankan government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
BePrime
April 20, 2026
•[ unauthorized access, missing MFA, credential leak ]
BePrime, a managed cybersecurity services provider in Mexico, was breached in April 2026 after attackers accessed administrator accounts lacking MFA, exfiltrating 12.6 GB of data that included plaintext credentials, client penetration testing reports, Cisco Meraki API keys controlling 1,858 network devices, and live surveillance camera feeds from client offices.
Nigeria's Corporate Affairs Commission (CAC)
April 15, 2026
•[ unauthorized access, data exfiltration, data breach ]
Nigerias Corporate Affairs Commission confirmed unauthorized access to limited aspects of its information systems; ByteToBreach claimed it exfiltrated about 25 million documents, roughly 750 GB, from CAC infrastructure, but CAC did not confirm the volume or identify the perpetrator.
At least one Chrome user
April 14, 2026
•[ malicious extensions, credential theft, session hijacking ]
A coordinated campaign used 108 malicious Chrome extensions published under five developer identities to route stolen credentials, user identities, browsing data, Google account information, and Telegram Web session data to shared command-and-control infrastructure. The extensions collectively had about 20,000 Chrome Web Store installs and could inject ads or arbitrary JavaScript into visited pages and open arbitrary URLs through browser-level abuse.
Undisclosed United Kingdom organization
April 7, 2026
•[ ransomware, data exfiltration, cybercrime ]
Microsoft reported that Storm-1175, a financially motivated cybercrime actor linked to Medusa ransomware, heavily impacted organizations in Australia, the United Kingdom, and the United States by exploiting vulnerable web-facing systems, exfiltrating data, and deploying ransomware. This row represents the undisclosed United Kingdom victim component of the country-level coding approach.
Undisclosed Australian organization
April 7, 2026
•[ ransomware, Medusa ransomware, data exfiltration ]
Microsoft reported that Storm-1175, a financially motivated cybercrime actor linked to Medusa ransomware, heavily impacted organizations in Australia, the United Kingdom, and the United States by exploiting vulnerable web-facing systems, exfiltrating data, and deploying ransomware. This row represents the undisclosed Australian victim component of the country-level coding approach.
Undisclosed United States organization
April 7, 2026
•[ ransomware, cybercrime, data exfiltration ]
Microsoft reported that Storm-1175, a financially motivated cybercrime actor linked to Medusa ransomware, heavily impacted organizations in Australia, the United Kingdom, and the United States by exploiting vulnerable web-facing systems, exfiltrating data, and deploying ransomware. This row represents the undisclosed United States victim component of the country-level coding approach.
Undisclosed critical infrastructure organization
April 6, 2026
•[ Chinese-nexus intrusions, critical infrastructure, lateral movement ]
Darktrace reported Chinese-nexus intrusions affecting critical infrastructure organizations, with some high-value intrusions involving lateral movement before data exfiltration.
National Health Insurance Company (CNAM)
April 1, 2026
•[ cyberattack, data exfiltration, health insurance ]
CNAM confirmed a cyberattack that may have resulted in limited data exfiltration from Moldovas health insurance database.
Remita Payment Services Ltd
March 31, 2026
•[ data exfiltration, KYC documents, database leak ]
Remita Payment Services Ltd was named in Nigerian data-protection investigations after ByteToBreach claimed to have exfiltrated approximately 3 TB of data from Remita-linked systems, including KYC documents, databases, logs, backups, source code, password hashes, and customer and employee records. The Nigeria Data Protection Commission served notices of investigation on April 1, 2026, and the claimed data theft remains under investigation.
ZenBusiness
March 27, 2026
•[ data breach, extortion, ransomware ]
In March 2026, the hacker and extortion group "ShinyHunters" claimed to have obtained a substantial corpus of data from ZenBusiness, a business formation and compliance platform. The group claimed the data had been exfiltrated from platforms including Snowflake, Mixpanel and Salesforce, and threatened to publish it if a ransom was not paid. The following month, after claiming payment had not been made, ShinyHunters publicly released the data. The collection amounted to many terabytes across thousands of files that appeared to originate from multiple systems and business functions, including leads, support records and other CRM-related data. The data contained approximately 5M unique email addresses, often accompanied by name and phone number depending on the source file.
LiteLLM
March 24, 2026
•[ supply chain attack, malware, credential theft ]
TeamPCP used compromised release access to publish malicious LiteLLM versions to PyPI, embedding code that exfiltrated secrets and established persistence on systems that installed the poisoned packages.
Le Centre national des œuvres universitaires et scolaires
March 23, 2026
•[ data leak, data exfiltration, personal information ]
The Cnous said data was exfiltrated from its mesrdv.etudiant.gouv.fr appointment platform, exposing personal information from student social-services and housing appointments taken over the past ten years.
