A threat actor operating as FulcrumSec has published what it describes as a total compromise of Hatica, a Sequoia-backed engineering analytics platform, along with two subsidiary products operating under the same infrastructure: DixiApp, a legacy Slack standup bot serving approximately 4,700 organizations, and Posium, an AI-powered test automation platform whose customer base reportedly includes JP Morgan, BrowserStack, and GE Healthcare. The published dataset allegedly includes 75 private GitHub repositories, a 5.7GB production database containing Slack bot access tokens for every DixiApp workspace, 134,270 Jira issues, production credentials across 15 services, and plaintext customer application passwords stored by the Posium platform. Hatica had not issued any public statement at time of publication.
A Single GitHub Token, Three Products Exposed
According to FulcrumSec’s post, initial access was obtained through a single GitHub token with access to Hatica’s private repositories. Those repositories contained hardcoded production credentials across every service Hatica has operated, including database connection strings, OAuth encryption keys, cloud storage credentials, email service tokens, and infrastructure deployment secrets stored as plaintext values in Kubernetes Helm charts and environment files. FulcrumSec states it used those credentials to pivot into Hatica’s production AlloyDB databases, cloud storage buckets, and the legacy DixiApp PostgreSQL database, which had reportedly remained operational and credential-accessible despite DixiApp being a discontinued product.
The group also claims to have obtained access to Hatica’s Jira instance using credentials extracted from the repositories, yielding 134,270 internal issues across 19 projects — including a customer success project documenting support tickets for named enterprise clients, and a compliance project allegedly documenting Hatica’s own Vanta security audit failures at the time of the breach. FulcrumSec states the compliance issues documented included EC2 instances with public SSH access and S3 buckets without public access controls enabled, and that Hatica markets itself as SOC 2 Type II compliant.
4,700 Slack Workspaces: The DixiApp Problem
The most structurally unusual aspect of this breach is the DixiApp exposure. DixiApp was Hatica’s original product — a Slack standup bot that began acquiring customers in 2019. When Hatica pivoted to its current engineering analytics platform, DixiApp was reportedly never fully decommissioned. Its production PostgreSQL database, containing seven years of standup data and active Slack bot OAuth tokens for every workspace that had ever installed it, remained live and accessible through the credentials embedded in the source code.
FulcrumSec claims the database contains 4,700 active Slack bot access tokens and over 140,000 rows of internal data including standup entries, team rosters, and channel configurations. The group states it verified several tokens as live, including one belonging to a division of Dutch National Railways. Other organizations listed in the database include PayPal, Citrix, and Rakuten. Active Slack bot tokens can be used to enumerate channel members, read message history depending on scopes granted, and access employee directories — meaning any organization that installed DixiApp between 2019 and the present should treat this as an active credential exposure requiring immediate token revocation.
Posium: Customer Credentials Stored in Plaintext
Hatica’s third product, Posium, is an AI-powered test automation platform. FulcrumSec claims Posium’s architecture required storing customer application login credentials in plaintext to enable automated browser testing — and that those credentials, belonging to customers of Posium’s enterprise clients, were sitting in an accessible production database. The group states it extracted credentials for production and staging environments belonging to organizations whose names appear in the Posium customer database, which reportedly includes JP Morgan, BrowserStack, GE Healthcare, and Allica Bank among 119 registered users.
The notification exposure FulcrumSec describes is significant. If the claims are accurate, Hatica faces potential GDPR obligations covering EU-based customers, Japan’s APPI covering PayPay Corporation, and India’s DPDP Act covering Hotstar, ShareChat, and other named clients. FulcrumSec states it notified Hatica of the breach prior to publication using Hatica’s own email infrastructure — specifically, AWS SES credentials extracted from the source code.
FulcrumSec’s Track Record
FulcrumSec is the same threat actor responsible for the confirmed March 2026 breach of LexisNexis Legal and Professional, in which the group exploited an unpatched React2Shell vulnerability to access 3.9 million database records, 21,000 customer accounts, and credentials belonging to federal judges and DOJ attorneys. LexisNexis confirmed that breach. FulcrumSec also claimed the MyComplianceOffice breach, in which the group published a complete customer dataset after failed negotiations. The group’s posts have consistently demonstrated access to genuine internal data and a pattern of publishing full datasets when targets decline to engage. Hatica had not issued any public statement at time of publication.
Organizations that have used Hatica, DixiApp, PyjamaHR, or Posium should treat integration credentials as compromised. GitHub tokens, Jira API keys, and Slack OAuth grants connected to any of these platforms should be revoked and rotated immediately.
