Instructure, the company behind Canvas learning software, paid cybercriminals to delete stolen student data after a major hack disrupted 9,000 universities across the US, Canada, Australia, and UK last week.

The Shiny Hunters group threatened to release 3.5 terabytes of student and university data unless paid in bitcoin. Students taking exams were particularly affected, with some losing work mid-test when ransom messages appeared on their screens.

Instructure confirmed it "reached an agreement" with the hackers, who promised to delete the data and not extort institutions. However, paying ransoms goes against law enforcement advice and offers no guarantee data is actually destroyed. The breach was discovered April 29th, marking the third time Shiny Hunters has targeted Canvas.

Source: BBC

Instructure, the company behind Canvas software used by 9,000 universities worldwide, paid hackers to delete stolen student data after a major cyberattack last week. The breach by the Shiny Hunters group disrupted exams across the US, Canada, Australia, and UK when Canvas went offline.

The hackers stole 3.5 terabytes of data and threatened to publish it online. Instructure confirmed reaching an "agreement" with the criminals, who promised to delete the data and not extort students or institutions. While the company won't reveal payment details, such deals typically involve bitcoin ransoms.

Students like Mississippi State's Aubrey Palmer saw ransom messages mid-exam, causing widespread confusion. Security experts warn paying hackers fuels more attacks and offers no guarantee data is actually destroyed.

Source: BBC

Day two of Pwn2Own Berlin 2026 saw hackers unleash devastating attacks on enterprise software and AI tools, adding $385,750 in bug bounties to bring the total to $908,750.

Orange Tsai from DEVCORE stole the show with a brutal Microsoft Exchange exploit, chaining three vulnerabilities to achieve remote code execution with SYSTEM privileges. The attack earned $200,000 and highlights Exchange's role as a critical enterprise target.

Security researchers also compromised Windows 11 through an integer overflow bug and hit multiple AI coding platforms including Cursor IDE and OpenAI Codex. These AI tools are becoming prime targets due to their access to source code and developer workflows.

DEVCORE leads the competition with $405,000 in winnings, but the final day promises more zero-day discoveries as vendors scramble to patch newly exposed vulnerabilities.

Source: Cyber Security News

OpenAI disclosed that two employee devices were infected during the May 11 TanStack supply chain attack by TeamPCP hackers. The attackers exploited weaknesses in package publishing to release 84 malicious artifacts across 42 packages, infecting devices with the Shai-Hulud worm.

Limited credential material was stolen from internal source code repositories, but no customer data or intellectual property was compromised. OpenAI rotated all affected credentials and revoked user sessions.

The company is revoking code-signing certificates for all platforms and re-signing applications. macOS users must update their OpenAI apps by June 12, 2026, or risk losing functionality. The incident occurred during OpenAI's security transition following a previous March attack.

Source: Security Week

A sophisticated threat actor called UAT-8616 is actively exploiting a critical authentication bypass vulnerability (CVE-2026-20182) in Cisco's SD-WAN controllers. The bug earned a perfect 10/10 severity score, allowing attackers to gain administrative access without authentication.

This marks the second major Cisco SD-WAN vulnerability this year. In February, the same threat group exploited a nearly identical flaw (CVE-2026-20127) for years before detection. UAT-8616 appears undeterred by patches, quickly moving to exploit new vulnerabilities in the same product line.

The group targets critical infrastructure organizations, using compromised controllers to establish persistent access and escalate to root privileges. Researchers suggest potential Chinese state-sponsored connections. Cisco has released patches, but the pattern of recurring vulnerabilities in centralized network infrastructure highlights ongoing security challenges.

Source: Dark Reading

Electronics giant Foxconn, Apple's primary iPhone assembler, confirmed a cyberattack disrupted its North American factories. The Nitrogen ransomware group claims responsibility, allegedly stealing 8 terabytes of data across 11 million files containing confidential projects from Intel, Apple, Google, Dell, and Nvidia.

Foxconn's cybersecurity team quickly implemented measures to maintain production and delivery. The company said affected factories resumed normal operations as of Tuesday, though it didn't specify when the attack occurred or which systems were compromised.

Nitrogen, active since 2023, typically steals data before encrypting systems to maximize pressure on victims. However, security experts question whether the group is inflating its data theft claims to demand higher ransoms. The Taiwan-based manufacturer operates factories across Mexico, Wisconsin, Ohio, Texas, Virginia, and Indiana.

Source: CyberScoop

A frustrated security researcher has released two dangerous zero-day exploits targeting Windows systems after a dispute with Microsoft. The most severe, dubbed "YellowKey," completely bypasses BitLocker encryption on Windows 11 and Server 2022/2025 systems within minutes using just a USB stick or direct drive access.

The second exploit, "GreenPlasma," enables privilege escalation through the Windows CTFMON service, potentially giving attackers system-level control. Windows 10 remains unaffected by YellowKey due to different recovery architecture.

Microsoft hasn't patched these vulnerabilities yet. Security experts recommend using BitLocker PINs, strong BIOS passwords, and monitoring physical hardware access as immediate protection measures.

Source: Cyber Security News

A massive cyberattack called "mini Shai-Hulud" infected hundreds of popular open-source software packages, including TanStack's React Router with over 12 million weekly downloads. The malware, created by cybercriminal group TeamPCP, steals credentials from cloud services like AWS and Google Cloud by hijacking automated publishing systems.

The attack bypassed two-factor authentication and carried valid digital signatures, making it nearly undetectable. The malware embeds itself in developer tools like Visual Studio Code and disguises stolen data as anonymous messaging traffic through the Session app.

Security experts urge anyone who downloaded affected packages on Monday to immediately change all cloud, server, and developer credentials. The incident exposes critical vulnerabilities in how the software industry consumes open-source code.

Source: CyberScoop

A new campaign of Mini Shai-Hulud malware is spreading through npm packages, targeting the TanStack developer ecosystem with hundreds of compromised packages. Security researchers from Socket and Aikido discovered 373 malicious package entries across 169 npm packages, with evidence suggesting the actual number could be double that.

The worm-like malware steals developer credentials from machines and CI/CD systems, then uses those credentials to infect more packages automatically. What makes this wave particularly dangerous is its abuse of trusted publishing workflows - hijacking legitimate GitHub Actions to push Trojanized updates that appear authentic.

Attributed to the TeamPCP threat group, this evolved variant uses obfuscated JavaScript and targets build systems more aggressively than previous versions. Developers should immediately scan publishing logs, rotate credentials, and enable provenance verification to protect their projects.

Source: Dark Reading

TeamPCP hackers compromised over 170 packages across major software projects on May 11, including 42 TanStack packages, 65 UiPath packages, and Mistral AI's PyPI packages. The "Mini Shai-Hulud" attack exploited three security weaknesses to hijack TanStack's CI/CD pipeline and publish malicious packages that appeared legitimate with valid SLSA provenance certificates.

The malware steals developer credentials, API keys, cryptocurrency wallets, and cloud secrets. It spreads by using stolen tokens to publish infected versions of packages. For the first time, attackers targeted password managers like 1Password and Bitwarden, and used the decentralized Session network for harder-to-disrupt data exfiltration.

Users should immediately check for compromised package versions, rotate all credentials, and audit their GitHub Actions configurations.

Source: SecurityWeek