Kommentar fra Per Hansen, Investeringsøkonom, Nordnet
Novo Nordisk bekræftede i sidste uge, at de havde været udsat for ulovlig indtrængning i deres systemer. Indtil videre har det ikke haft nogen kurseffekt, men kortsigtet kan det komme
Novo Nordisk sendte i uge (11/6) en speciel børsmeddelse. Den handlede om at de havde konstateret at uvedkommende var trængt ind i systemerne
Dengang havde historien formentlig/overvejende ingen kurseffekt.
Det gælder formentlig stadig
I går rapporterede Reuters om en udvikling i sagen, hvor afpresserne indtil videre uden held har forsøgt at få 25 mio. USD ud af Novo Nordisk. Link: https://www.reuters.com/legal/government/hacking-group-claims-major-hack-novo-nordisk-attempted-25-million-extortion-2026-06-16/
Flere grund til at sende en børsmeddelelse
Når Novo Nordisk sender en børsmeddelelse sidste fredag skyldes det formentlig bl.a. at 1)Sagen kan være alvorlig, og ikke mindst 2)hensynet til USA og den notering som man har her. Hvis advokater ser aktiekursen falde, i givet fald, uden at Novo Nordisk har annonceret om en ulovlig indtrængning og angrebet kommer frem, vil det højest sandsynligt føre til et sagsanlæg, som kan være dyrt. Også selv om Novo Nordisk er den forurettede. Det er ikke givet, at der er kompromitteret vigtige data, men det er en mulighed, som skal tages seriøst.
Novo Nordisk bekræftede i sidste uge, at de havde været udsat for ulovlig indtrængning i deres systemer. Indtil videre har det ikke haft nogen kurseffekt, men kortsigtet kan det komme
Novo Nordisk sendte i uge (11/6) en speciel børsmeddelse. Den handlede om at de havde konstateret at uvedkommende var trængt ind i systemerne
Dengang havde historien formentlig/overvejende ingen kurseffekt.
Det gælder formentlig stadig
I går rapporterede Reuters om en udvikling i sagen, hvor afpresserne indtil videre uden held har forsøgt at få 25 mio. USD ud af Novo Nordisk. Link: https://www.reuters.com/legal/government/hacking-group-claims-major-hack-novo-nordisk-attempted-25-million-extortion-2026-06-16/
Flere grund til at sende en børsmeddelelse
Når Novo Nordisk sender en børsmeddelelse sidste fredag skyldes det formentlig bl.a. at 1)Sagen kan være alvorlig, og ikke mindst 2)hensynet til USA og den notering som man har her. Hvis advokater ser aktiekursen falde, i givet fald, uden at Novo Nordisk har annonceret om en ulovlig indtrængning og angrebet kommer frem, vil det højest sandsynligt føre til et sagsanlæg, som kan være dyrt. Også selv om Novo Nordisk er den forurettede. Det er ikke givet, at der er kompromitteret vigtige data, men det er en mulighed, som skal tages seriøst.
Novo Nordisk er tilsyneladende minimum blevet hacket to gange. Det er en pinlig sag. Der kommer nok til at rulle nogle hoveder.
Det drejer sig tilsyneladende om baade patient data og compound data.
Om et aar er sagen sikkert glemt blandt aktionaerer, men lige nu staar alle roede lamper sikkert og blinker i alle IT-afdelinger.
Hacking group claims major hack of Novo Nordisk and attempted $25 million extortion
https://www.reuters.com/legal/government/hacking-group-claims-major-hack-novo-nordisk-attempted-25-million-extortion-2026-06-16/
> VX-Underground, a malware research and repository site, reported separately on Monday about an unnamed hacker having compromised Novo Nordisk. FulcrumSec said in its message that its attack is separate.
Det drejer sig tilsyneladende om baade patient data og compound data.
Om et aar er sagen sikkert glemt blandt aktionaerer, men lige nu staar alle roede lamper sikkert og blinker i alle IT-afdelinger.
Hacking group claims major hack of Novo Nordisk and attempted $25 million extortion
https://www.reuters.com/legal/government/hacking-group-claims-major-hack-novo-nordisk-attempted-25-million-extortion-2026-06-16/
> VX-Underground, a malware research and repository site, reported separately on Monday about an unnamed hacker having compromised Novo Nordisk. FulcrumSec said in its message that its attack is separate.
Jeg har lige læst nedenstående. Det er jo helt vildt, hvis det er sandt. Jeg vil helst ikke kopiere hele teksten, for jeg vil ikke gøre mig selv skyldig i tyveri af IP og/eller brud på GDPR.
4,748 source code repositories • 41,144 proprietary drug compounds with structures • 3 of 33 proprietary AI models released as proof samples (~7 GB); 30 models + 70 datasets (~1.05 TB) withheld • ~11,500 pseudonymised clinical trial patients • 163,234 employee records • the exact manufacturing recipe for Amycretin, the drug that added $80 billion to Novo's market cap in a single day • 5 undisclosed drug programmes that do not appear anywhere in Novo's public pipeline or SEC filings
Novo Nordisk A/S is the most valuable pharmaceutical company on earth. Headquartered in Bagsværd, Denmark. Market capitalisation approximately $400 billion. Maker of Ozempic, Wegovy, and the reason your neighbour won't shut up about how easy it was to lose thirty pounds. Annual revenue $34 billion. Approximately 70,000 employees. They spend more on R&D in a quarter than most biotech companies raise in a lifetime.
Their pharmacovigilance middleware - the system that processes reports of patients dying, having strokes, going into comas, or attempting suicide while on their drugs - is encrypted with the password novo123. A second master key, p_assw0?rd, protects the TLS keystore. These passwords are hardcoded across at least four production MuleSoft repositories. We wish we were joking.
We gained initial access through secrets left in client-side JavaScript on two separate unrelated Novo Nordisk subdomains - two completely different teams, two different applications, the same elementary mistake made twice. We had never seen this sort of double leakage, discovered just days apart. The first was an Azure DevOps token baked into the JavaScript bundle on dev.nnedl.pub.aws.novonordisk.com. The second was a GitHub Personal Access Token sitting in the client-side code on datahub-sand.novonordisk.com, with access to hundreds of private repositories. Those repositories were packed with more secrets - API tokens, database credentials, service account passwords - that enabled lateral movement and spidering through Novo's systems.
It remains astonishing to us, even now that we have seen this pattern again and again, that a $400 billion corporation with a dedicated cybersecurity division cannot be bothered to monitor their frontend bundles. That they could not detect unknown IPs raiding their cloud services for weeks and months before responding (or never detecting us at all, in the case of their HuggingFace and Okta accounts).
Azure Container Registry credential in minified JavaScript bundle on dev.nnedl.pub.aws.novonordisk.com
Click to expand
GitHub PAT in client-side JavaScript on datahub-sand.novonordisk.com
Click to expand
From those two credentials, we moved laterally through Novo's GitHub, AWS, HuggingFace, and other cloud environments over a period of more than two months. The GitHub PAT alone gave us access to over a thousand private repositories, many containing hardcoded credentials for production systems, allowing us to spider our way throughout Novo's various cloud systems. Here is what we reached:
4,748 source code repositories across Azure DevOps (95 organisations, 3,355 repos) and GitHub (14 organisations, 2,393 repos) - drug formulas, manufacturing processes, clinical trial code, financial models, RNAi pipeline, pharmacovigilance systems, and 50+ additional hardcoded production credentials
CDD Vault - Collaborative Drug Discovery database acquired with Forma Therapeutics: 41,144 proprietary molecules with SMILES structures, 4,693 experimental runs, 47,680 compound batches, 165 assay protocols, 4,604 raw assay files (26GB), 6,477 analytical spectra PDFs (4.4GB), 22 safety pharmacology files. Accessed via API token found in repo source code.
HuggingFace - 1.06TB total: 33 proprietary AI models and 75 datasets across 4 organisations. Nanobody design, chemical language models, cell imaging, patent drafting, clinical reasoning. Accessed via HuggingFace WRITE token found in repo source code.
Confluent Schema Registry - 452 Avro schemas from the "KAREN" Kafka platform exposing the complete data architecture of Novo's clinical trial management (COSMOS) and regulatory submission (Veeva RIM) systems. 78 clinical entities, 37 regulatory entities, 13,763 fields. Accessed via HTTP Basic credentials found in repo source code.
COSMOS Clinical Data API - 18 clinical trials, 661 sites across 43 countries, 2,852 named clinical trial personnel with emails and phone numbers, study milestone timelines. Accessed via unsigned JWT bypass (alg:none) on the DEV environment.
Employee, doctor, and patient PII - 163,234 employee HR records (SAP SuccessFactors), ~11,500 pseudonymised clinical trial patients across 6 trials, 46,843 Danish healthcare professionals and 506,007 IQVIA investigators (both withheld per agreement), 2,852 clinical trial personnel with names, emails, and phone numbers (withheld per agreement)
OT/SCADA data - 52 PI system tag mappings for production fermenters (161C, 166C), ammonia flow controllers, antifoam valves, stirring power; plus purification recipes for Amycretin and Ziltivekimab from a custom SCADA system for downstream processing pilot plants. We are withholding this data from all public releases due to the potential for serious physical harm as part of our harm-minimisation strategy; we do not want to be responsible for publishing data that could endanger manufacturing operations or patient safety
Infrastructure and misc. - Weights & Biases (2,205 ML training runs), Okta (2,640 enterprise accounts), 5 AWS S3 accounts (data lake, Veeva clinical documents, StudyHub), Azure Blob (IQVIA, Citeline, COSMOS, Medidata, TriNetX landing zones), Databricks (StudyHub ETL, agentic study ontology notebooks).
Novo's security team detected us in their GitHub accounts after roughly two weeks, and Azure after three - we know this because we watched them begin rotating credentials - but by then we had exfiltrated everything of value from those environments. Throughout these two months, they never detected us in their enterprise HuggingFace and Okta accounts, which remained accessible right up until we contacted them.
Novo replied to our outreach and engaged with us for several weeks, going through the verification process that companies always do to verify we have what we say we do. Right up until they publicly disclosed the breach on Thursday, 11 June, at which point they went dark.
That's right; we were social-engineered by one of the world's biggest pharmaceutical corporations. They replied to our outreach solely to buy time while they prepared internally for disclosure. We do not like the deception, but we respect the artistry.
We reached back out to Novo and offered to refrain from leaking the serious PII from the breach data (46,843 Danish physicians, the 506,007 IQVIA investigators, and the 2,852 clinical trial personnel) if they would only verify that this was the path they chose - yes, even cybercriminals want closure - and on 15 June they responded to confirm that they would not be paying.
We are honouring that deal. The 46,843 Danish physicians, the 506,007 IQVIA investigators, and the 2,852 clinical trial personnel with names, emails, and phone numbers - none of that is in this archive. We are also withholding the 1.06TB HuggingFace model archive and all OT/SCADA data from this release, for now.
What we are releasing is everything else. Here is what we found.
4,748 source code repositories • 41,144 proprietary drug compounds with structures • 3 of 33 proprietary AI models released as proof samples (~7 GB); 30 models + 70 datasets (~1.05 TB) withheld • ~11,500 pseudonymised clinical trial patients • 163,234 employee records • the exact manufacturing recipe for Amycretin, the drug that added $80 billion to Novo's market cap in a single day • 5 undisclosed drug programmes that do not appear anywhere in Novo's public pipeline or SEC filings
Novo Nordisk A/S is the most valuable pharmaceutical company on earth. Headquartered in Bagsværd, Denmark. Market capitalisation approximately $400 billion. Maker of Ozempic, Wegovy, and the reason your neighbour won't shut up about how easy it was to lose thirty pounds. Annual revenue $34 billion. Approximately 70,000 employees. They spend more on R&D in a quarter than most biotech companies raise in a lifetime.
Their pharmacovigilance middleware - the system that processes reports of patients dying, having strokes, going into comas, or attempting suicide while on their drugs - is encrypted with the password novo123. A second master key, p_assw0?rd, protects the TLS keystore. These passwords are hardcoded across at least four production MuleSoft repositories. We wish we were joking.
We gained initial access through secrets left in client-side JavaScript on two separate unrelated Novo Nordisk subdomains - two completely different teams, two different applications, the same elementary mistake made twice. We had never seen this sort of double leakage, discovered just days apart. The first was an Azure DevOps token baked into the JavaScript bundle on dev.nnedl.pub.aws.novonordisk.com. The second was a GitHub Personal Access Token sitting in the client-side code on datahub-sand.novonordisk.com, with access to hundreds of private repositories. Those repositories were packed with more secrets - API tokens, database credentials, service account passwords - that enabled lateral movement and spidering through Novo's systems.
It remains astonishing to us, even now that we have seen this pattern again and again, that a $400 billion corporation with a dedicated cybersecurity division cannot be bothered to monitor their frontend bundles. That they could not detect unknown IPs raiding their cloud services for weeks and months before responding (or never detecting us at all, in the case of their HuggingFace and Okta accounts).
Azure Container Registry credential in minified JavaScript bundle on dev.nnedl.pub.aws.novonordisk.com
Click to expand
GitHub PAT in client-side JavaScript on datahub-sand.novonordisk.com
Click to expand
From those two credentials, we moved laterally through Novo's GitHub, AWS, HuggingFace, and other cloud environments over a period of more than two months. The GitHub PAT alone gave us access to over a thousand private repositories, many containing hardcoded credentials for production systems, allowing us to spider our way throughout Novo's various cloud systems. Here is what we reached:
4,748 source code repositories across Azure DevOps (95 organisations, 3,355 repos) and GitHub (14 organisations, 2,393 repos) - drug formulas, manufacturing processes, clinical trial code, financial models, RNAi pipeline, pharmacovigilance systems, and 50+ additional hardcoded production credentials
CDD Vault - Collaborative Drug Discovery database acquired with Forma Therapeutics: 41,144 proprietary molecules with SMILES structures, 4,693 experimental runs, 47,680 compound batches, 165 assay protocols, 4,604 raw assay files (26GB), 6,477 analytical spectra PDFs (4.4GB), 22 safety pharmacology files. Accessed via API token found in repo source code.
HuggingFace - 1.06TB total: 33 proprietary AI models and 75 datasets across 4 organisations. Nanobody design, chemical language models, cell imaging, patent drafting, clinical reasoning. Accessed via HuggingFace WRITE token found in repo source code.
Confluent Schema Registry - 452 Avro schemas from the "KAREN" Kafka platform exposing the complete data architecture of Novo's clinical trial management (COSMOS) and regulatory submission (Veeva RIM) systems. 78 clinical entities, 37 regulatory entities, 13,763 fields. Accessed via HTTP Basic credentials found in repo source code.
COSMOS Clinical Data API - 18 clinical trials, 661 sites across 43 countries, 2,852 named clinical trial personnel with emails and phone numbers, study milestone timelines. Accessed via unsigned JWT bypass (alg:none) on the DEV environment.
Employee, doctor, and patient PII - 163,234 employee HR records (SAP SuccessFactors), ~11,500 pseudonymised clinical trial patients across 6 trials, 46,843 Danish healthcare professionals and 506,007 IQVIA investigators (both withheld per agreement), 2,852 clinical trial personnel with names, emails, and phone numbers (withheld per agreement)
OT/SCADA data - 52 PI system tag mappings for production fermenters (161C, 166C), ammonia flow controllers, antifoam valves, stirring power; plus purification recipes for Amycretin and Ziltivekimab from a custom SCADA system for downstream processing pilot plants. We are withholding this data from all public releases due to the potential for serious physical harm as part of our harm-minimisation strategy; we do not want to be responsible for publishing data that could endanger manufacturing operations or patient safety
Infrastructure and misc. - Weights & Biases (2,205 ML training runs), Okta (2,640 enterprise accounts), 5 AWS S3 accounts (data lake, Veeva clinical documents, StudyHub), Azure Blob (IQVIA, Citeline, COSMOS, Medidata, TriNetX landing zones), Databricks (StudyHub ETL, agentic study ontology notebooks).
Novo's security team detected us in their GitHub accounts after roughly two weeks, and Azure after three - we know this because we watched them begin rotating credentials - but by then we had exfiltrated everything of value from those environments. Throughout these two months, they never detected us in their enterprise HuggingFace and Okta accounts, which remained accessible right up until we contacted them.
Novo replied to our outreach and engaged with us for several weeks, going through the verification process that companies always do to verify we have what we say we do. Right up until they publicly disclosed the breach on Thursday, 11 June, at which point they went dark.
That's right; we were social-engineered by one of the world's biggest pharmaceutical corporations. They replied to our outreach solely to buy time while they prepared internally for disclosure. We do not like the deception, but we respect the artistry.
We reached back out to Novo and offered to refrain from leaking the serious PII from the breach data (46,843 Danish physicians, the 506,007 IQVIA investigators, and the 2,852 clinical trial personnel) if they would only verify that this was the path they chose - yes, even cybercriminals want closure - and on 15 June they responded to confirm that they would not be paying.
We are honouring that deal. The 46,843 Danish physicians, the 506,007 IQVIA investigators, and the 2,852 clinical trial personnel with names, emails, and phone numbers - none of that is in this archive. We are also withholding the 1.06TB HuggingFace model archive and all OT/SCADA data from this release, for now.
What we are releasing is everything else. Here is what we found.
17/6 2026 21:55 Optimistus 1
132819 Godt nok helt sindssygt hvis det er sandt, mon Trump Jr. Besøg i Bagsværd forleden omhandlede instrukser om hvor løsepengene skulle overføres hen.
17/6 2026 22:03 bb8 0132820 Haha, du fik mig til at grine 
Puha, det er en virkelig uheldig sag. Jeg fatter virkelig ikke, at sikkerheden har været så dårlig.
Jeg fik 1700 dollar for at rapportere et sikkerhedshul hos en af de store AI-virksomheder. Jeg må ikke sige hvilken. Det overraskede mig også rigtig meget. Nogle gange ved den venstre hånd bare ikke, hvad den højre laver.
Puha, det er en virkelig uheldig sag. Jeg fatter virkelig ikke, at sikkerheden har været så dårlig.Jeg fik 1700 dollar for at rapportere et sikkerhedshul hos en af de store AI-virksomheder. Jeg må ikke sige hvilken. Det overraskede mig også rigtig meget. Nogle gange ved den venstre hånd bare ikke, hvad den højre laver.
17/6 2026 22:17 bb8 0132821 Fuck fuck fuck! Det er virkelig noget lort, hvis det her er sandt. Fuck!
Jeg vil af juridiske årsager ikke selv tjekke, om det er sandt.
> We have the SMILES structures for every lead compound in every programme. A medicinal chemist at Eli Lilly, Roche, or AstraZeneca could open the archive, search by target, and have Novo's complete chemical series - years and hundreds of millions of dollars of work, if not billions - on their screen within minutes. Under both US DTSA and EU Trade Secrets Directive, publication of this data permanently destroys its trade secret status. That damage cannot be undone, even if every copy is deleted. Novo's lawyers know this. This is one of several reasons why we are surprised they made the choice they did.
Jeg vil af juridiske årsager ikke selv tjekke, om det er sandt.
> We have the SMILES structures for every lead compound in every programme. A medicinal chemist at Eli Lilly, Roche, or AstraZeneca could open the archive, search by target, and have Novo's complete chemical series - years and hundreds of millions of dollars of work, if not billions - on their screen within minutes. Under both US DTSA and EU Trade Secrets Directive, publication of this data permanently destroys its trade secret status. That damage cannot be undone, even if every copy is deleted. Novo's lawyers know this. This is one of several reasons why we are surprised they made the choice they did.
17/6 2026 22:24 bb8 0132822 Jeg er fuldstændig målløs. Det er første gang, at jeg læser det. Jeg håber virkelig ikke, at det er sandt.
> In total, we are holding 30 models, 70 datasets, and approximately 1.05 terabytes of proprietary AI assets. Our original asking price was $25 million. Novo declined, and we respect that - it was an honest no, not a stalling tactic. That chapter is closed.
> We are now exploring private sales for the remaining data. The compound structures, manufacturing processes, and AI models in this breach could command considerably more than $25 million from the right buyers - a well-funded biotech in a jurisdiction with flexible attitudes toward IP provenance, or an investment group interested in what Novo's internal competitive modelling reveals about their position relative to Eli Lilly. We have received enquiries. We are taking our time.
> In total, we are holding 30 models, 70 datasets, and approximately 1.05 terabytes of proprietary AI assets. Our original asking price was $25 million. Novo declined, and we respect that - it was an honest no, not a stalling tactic. That chapter is closed.
> We are now exploring private sales for the remaining data. The compound structures, manufacturing processes, and AI models in this breach could command considerably more than $25 million from the right buyers - a well-funded biotech in a jurisdiction with flexible attitudes toward IP provenance, or an investment group interested in what Novo's internal competitive modelling reveals about their position relative to Eli Lilly. We have received enquiries. We are taking our time.
