The hacking group ShinyHunters attacked Canvas, the academic software used by thousands of schools, disrupting approximately 9,000 institutions across the US, Canada, and Australia during critical end-of-year exams.

Students at Mississippi State University were mid-exam when ransom notes suddenly appeared on their screens, demanding bitcoin payment and threatening to release stolen data. The university postponed Friday's finals to help students recover lost work.

Major universities including Penn State, University of Sydney, and UCLA cancelled or rescheduled exams as Canvas remained largely offline. By Thursday evening, owner Instructure reported the platform was "available for most users," though many schools still experienced outages Friday.

Students expressed anxiety about completing coursework and potential data breaches, while universities scrambled to communicate updates and reschedule critical assessments during this high-stakes academic period.

Source: BBC

The RansomHouse ransomware group claimed responsibility for hacking cybersecurity firm Trellix, targeting part of the company's source code repository. Trellix confirmed the breach this week but stated no evidence suggests their source code distribution was compromised or exploited.

RansomHouse posted screenshots on Thursday showing access to Trellix's internal services and management dashboards, though they haven't specified what data was stolen. The timing suggests possible links to recent supply chain attacks by TeamPCP and Lapsus$ that hit other security firms like Checkmarx and Bitwarden.

RansomHouse, active since 2022, operates as ransomware-as-a-service and has listed over 170 victims on their leak site.

Source: SecurityWeek

The ShinyHunters cybercrime gang has breached Instructure's Canvas learning platform twice in quick succession, affecting nearly 9,000 educational institutions and 275 million users during final exam week. Despite Instructure claiming the initial April 25 attack was contained by May 2, hackers struck again on May 7, forcing the company to take Canvas offline once more.

The attackers exploited vulnerabilities in "free-for-teacher" accounts and claim to have stolen 3.65TB of data, including names, emails, student IDs, and billions of private messages between students and teachers. The breach spans universities, K-12 schools, and major corporations like Amazon and Apple across multiple countries.

Students report being locked out during critical study periods, with ransom messages appearing instead of their grades. The incident raises serious concerns about data protection for minors and the security standards expected from platforms serving such massive educational networks.

Source: Dark Reading

Security researchers at Adversa AI discovered a critical vulnerability called "TrustFall" affecting popular AI coding tools including Claude Code, Cursor CLI, Gemini CLI, and CoPilot CLI. The flaw allows malicious repositories to automatically execute harmful code on developers' systems with minimal user interaction.

The attack works when developers clone a malicious repo and accept what appears to be a routine trust dialog. This triggers an auto-approved Model Context Protocol (MCP) server that runs with full system privileges, potentially stealing SSH keys, installing backdoors, or establishing remote control connections.

Anthropic recently weakened Claude Code's warning language in version 2.1, removing explicit MCP execution warnings and defaulting to trust mode. The vulnerability becomes even more dangerous in CI/CD environments where no human interaction is required for code execution.

Source: Dark Reading

The hacking group ShinyHunters targeted Instructure's Canvas learning management system Thursday, forcing thousands of schools offline during finals week. Major universities including Penn State, UCLA, Columbia, and Northwestern were affected, with Penn State canceling all tests and warning students of no access for 24 hours.

Canvas was restored for most users by Thursday night, but the hackers claim they accessed nearly 9,000 schools worldwide and billions of private messages. The group threatened to leak stolen data, setting deadlines of Thursday and May 12, suggesting ongoing extortion negotiations. This attack mirrors recent breaches at PowerSchool and other educational platforms, highlighting schools' vulnerability as prime targets for cybercriminals seeking digitized student data.

Source: CBS News

Daemon Tools developer Disc Soft confirmed hackers compromised their software distribution between April 8 and May 5, infecting thousands of computers with malware. Chinese-speaking attackers injected trojanized code into Daemon Tools Lite version 12.5.1 downloads from the official website.

Kaspersky discovered the breach affected government, scientific, manufacturing, and retail organizations across Belarus, Russia, and Thailand. The attackers selected about a dozen victims for deeper infiltration, including a Russian educational institution hit with a complex backdoor.

Disc Soft has contained the incident, rebuilt clean installation packages, and released version 12.6.0.2445 on May 5. Users who downloaded the compromised version must uninstall the software and scan for malware.

Source: Security Week

Instructure's Canvas learning management system suffered a major data breach on May 1, with hackers stealing names, emails, student IDs, and private messages from approximately 275 million users across 9,000 educational institutions. The ShinyHunters group claimed responsibility and threatened to leak 3.65TB of stolen data unless ransom demands were met.

While passwords and financial information weren't compromised, the breach highlights schools' dangerous dependence on third-party platforms. Under FERPA regulations, schools remain liable for student data protection even when using external vendors. Security experts warn that switching from Canvas isn't realistic for most institutions, making them vulnerable to future attacks.

The incident exposes how deeply embedded educational technology creates inherited security risks that schools can't directly control.

Source: Dark Reading

A sophisticated phishing attack targeted over 35,000 users across 13,000 organizations between April 14-16, 2026, using fake "code of conduct" emails to steal credentials. The attackers used adversary-in-the-middle (AiTM) techniques to bypass multi-factor authentication by hijacking active login sessions in real-time.

The campaign primarily hit the United States (92% of victims) and targeted healthcare, financial services, and technology sectors. Victims received professional-looking emails claiming conduct violations, with PDF attachments leading to fake Microsoft login pages. The attackers positioned themselves between users and legitimate Microsoft services, capturing authentication tokens that provided direct account access without passwords.

Microsoft Defender Research tracked the campaign, noting its use of legitimate email services and polished HTML templates that made detection difficult. Organizations should enable phishing-resistant MFA methods like FIDO keys and implement comprehensive email security measures.

Source: Cybersecurity News

Cybersecurity firm Trellix confirmed a breach of part of its source code repository, though details remain scarce. The company is working with forensic experts and has notified law enforcement. Trellix says there's no evidence its code release process was compromised or that the source code was exploited — but a full investigation is still underway.

The breach may tie into a broader supply chain campaign linked to hacker groups TeamPCP and Lapsus$, which also hit Checkmarx, Aqua Security, and Bitwarden. Attackers reportedly compromised CI/CD pipelines to push malicious updates and steal credentials at scale.

Source: SecurityWeek

A serious vulnerability in FreeBSD's default DHCP client — tracked as CVE-2026-42511 — lets attackers on the same local network execute commands as root, taking complete control of affected machines. Discovered by Joshua Rogers of the AISLE Research Team, the flaw stems from dhclient(8) failing to properly escape double-quotes when processing DHCP server responses, allowing injected commands to run with full system privileges. Every supported FreeBSD release is affected, including versions 13.5, 14.3, 14.4, and 15.0. Patches are already available. Admins should update immediately — and enabling DHCP snooping on network switches adds an effective extra layer of defense.

Source: Cybersecurity News