[DyslexicAtheist]

some info here https://www.cyfirma.com/research/investigation-report-on-jag...

> The breach was enabled through stolen Jira credentials harvested via Infostealer malware, a known hallmark of HELLCAT’s operations. The exposed data includes development logs, tracking information, source code, and a large employee dataset with usernames, email addresses, display names, and time zones. The presence of verified employee information from JLR’s global workforce raises significant concerns about identity theft and targeted phishing campaigns.

then

> the JLR breach escalated when a second threat actor, “APTS,” appeared on DarkForums on March 14, 2025. APTS claimed to have exploited Infostealer credentials dating back to 2021, belonging to an employee who held third-party access to JLR’s Jira server. Using these compromised credentials, the actor gained entry and shared a screenshot of a Jira dashboard as proof. APTS also leaked an additional tranche of sensitive data, estimated at around 350 GB, which contained information not included in Rey’s original dump, further amplifying the scale and severity of the breach.