A massive surge in high-impact cyberattacks during the first four months of 2026 has targeted major Western defense contractors, government agencies, and critical AI infrastructure.
Security analysts are tracking a significant escalation in both state-sponsored destructive operations and large-scale criminal extortion. The recent wave includes the breach of Lockheed Martin, where 375 terabytes of data were reportedly stolen, and the wiping of Stryker devices across 79 countries.
Parallel threat campaigns
Security researchers have identified four distinct threat clusters operating simultaneously. One group, identified by Palo Alto Networks Unit 42 as Void Manticore, is operating under the Handala Hack Team persona. This group, linked to Iran’s Ministry of Intelligence and Security, has claimed responsibility for attacks on US industrial and defense targets in retaliation for a February missile strike in Iran.
Concurrently, a powerful criminal alliance known as Scattered LAPSUS$ Hunters (SLH) has launched industrial-scale attacks against the SaaS layer of global enterprises. This merger of the ShinyHunters, Scattered Spider, and LAPSUS$ groups has resulted in the compromise of approximately 400 organizations and the exfiltration of 1.5 billion Salesforce records.
AI supply chains have also faced direct hits. Lapsus$ breached Mercor, a $10 billion AI training-data vendor used by OpenAI, Anthropic, and Meta, extracting 4 terabytes of data through the LiteLLM open-source library.
Other notable incidents include the hijacking of the Axios npm package by North Korean actors and the cloning of Cisco’s private GitHub repository. The FBI’s wiretap management network also suffered a major breach, alongside a personal email dump targeting FBI Director Kash Patel.
