Infostealers by Hudson Rock claims that the United States Army, Navy, and major defense contractors (such as Lockheed Martin, Boeing, and Honeywell) have active infostealer infections.

For U.S. agencies, the report found the following infection numbers:

• The U.S. Army had 71 infected employees and 1,319 infected users 
• The U.S. Navy had 30 infected employees and 551 infected users
• The FBI had 24 infected employees and 26 infected users

For the defense contractors, the report found the following infection numbers: 

• Lockheed Martin had 55 infected employees and 96 infected users 
• Boeing had 66 infected employees and 114 infected users
• Honeywell had 398 infected employees and 472 infected users 

Additionally, the report found that cybercriminals were able to purchase stolen information from government agency or defense contractor employees for as little as $10.  

Security leaders weigh in 

Kent Wilson, Vice President, Global Public Sector at Bugcrowd:

This problem isn’t new, and it’s certainly not just beginning. The reality is that when an adversary targets an individual, eventual compromise is inevitable — whether it’s in the defense sector or the private sector. Human behavior remains the weakest link in security, and no amount of investment in classified networks or perimeter security can fully prevent an employee from unknowingly downloading infostealer malware that exposes credentials.

The lesson is clear: if you’re online, you’re a target. Every business — whether they serve the DOD or not — has employees who hold sensitive credentials that adversaries can exploit.

That said, there’s no reason to make it easy for attackers. Organizations need to stop treating cybersecurity as a one-time project and adopt continuous, proactive security programs. Traditional defenders are in a knife fight every day, and staying ahead of attackers is difficult. Bug bounties, red teaming, penetration testing, and vulnerability disclosure programs (VDPs) all help uncover security gaps before adversaries do. If you’re not actively testing your defenses and your people, attackers will do it for you.

Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck:

The latest report from Hudson Rock is incredibly concerning given the nature of the data and the individuals targeted. The data stolen could allow an adversary into critical networks and take steps to compromise additional people and systems. While the most common vector for this type of attack would presumably be some sort of phishing attack, without having more details provided by the affected companies and agencies, this would be speculation. Affected users should have their passwords rotated immediately and a forensic investigation launched to determine how they were compromised and if attackers accessed information they shouldn’t have. This is a risk to U.S. national security.

Jason Soroko, Senior Fellow at Sectigo:

Infostealer infections in the U.S. military and top defense contractors expose a systemic cybersecurity lapse. Lax endpoint defenses, outdated patching protocols, and human error are enabling cheap breaches — even in high-stakes environments. If organizations with deep pockets and top talent are vulnerable, rank-and-file companies, often under-resourced and less rigorous, face even graver risks.

Companies must act now. Tighten security with zero trust architectures, continuous audits, and robust employee training. Update systems regularly, enforce strict access controls, and assume breach as a possibility. Cyber hygiene isn’t optional but should be considered a critical part of our defense in an era where a $10 exploit can topple even the most advanced networks.