Ticker feed

The hacking group ShinyHunters targeted Instructure's Canvas learning management system Thursday, forcing thousands of schools offline during finals week. Major universities including Penn State, UCLA, Columbia, and Northwestern were affected, with Penn State canceling all tests and warning students of no access for 24 hours.

Canvas was restored for most users by Thursday night, but the hackers claim they accessed nearly 9,000 schools worldwide and billions of private messages. The group threatened to leak stolen data, setting deadlines of Thursday and May 12, suggesting ongoing extortion negotiations. This attack mirrors recent breaches at PowerSchool and other educational platforms, highlighting schools' vulnerability as prime targets for cybercriminals seeking digitized student data.

Source: CBS News

Daemon Tools developer Disc Soft confirmed hackers compromised their software distribution between April 8 and May 5, infecting thousands of computers with malware. Chinese-speaking attackers injected trojanized code into Daemon Tools Lite version 12.5.1 downloads from the official website.

Kaspersky discovered the breach affected government, scientific, manufacturing, and retail organizations across Belarus, Russia, and Thailand. The attackers selected about a dozen victims for deeper infiltration, including a Russian educational institution hit with a complex backdoor.

Disc Soft has contained the incident, rebuilt clean installation packages, and released version 12.6.0.2445 on May 5. Users who downloaded the compromised version must uninstall the software and scan for malware.

Source: Security Week

Instructure's Canvas learning management system suffered a major data breach on May 1, with hackers stealing names, emails, student IDs, and private messages from approximately 275 million users across 9,000 educational institutions. The ShinyHunters group claimed responsibility and threatened to leak 3.65TB of stolen data unless ransom demands were met.

While passwords and financial information weren't compromised, the breach highlights schools' dangerous dependence on third-party platforms. Under FERPA regulations, schools remain liable for student data protection even when using external vendors. Security experts warn that switching from Canvas isn't realistic for most institutions, making them vulnerable to future attacks.

The incident exposes how deeply embedded educational technology creates inherited security risks that schools can't directly control.

Source: Dark Reading

A sophisticated phishing attack targeted over 35,000 users across 13,000 organizations between April 14-16, 2026, using fake "code of conduct" emails to steal credentials. The attackers used adversary-in-the-middle (AiTM) techniques to bypass multi-factor authentication by hijacking active login sessions in real-time.

The campaign primarily hit the United States (92% of victims) and targeted healthcare, financial services, and technology sectors. Victims received professional-looking emails claiming conduct violations, with PDF attachments leading to fake Microsoft login pages. The attackers positioned themselves between users and legitimate Microsoft services, capturing authentication tokens that provided direct account access without passwords.

Microsoft Defender Research tracked the campaign, noting its use of legitimate email services and polished HTML templates that made detection difficult. Organizations should enable phishing-resistant MFA methods like FIDO keys and implement comprehensive email security measures.

Source: Cybersecurity News

Cybersecurity firm Trellix confirmed a breach of part of its source code repository, though details remain scarce. The company is working with forensic experts and has notified law enforcement. Trellix says there's no evidence its code release process was compromised or that the source code was exploited — but a full investigation is still underway.

The breach may tie into a broader supply chain campaign linked to hacker groups TeamPCP and Lapsus$, which also hit Checkmarx, Aqua Security, and Bitwarden. Attackers reportedly compromised CI/CD pipelines to push malicious updates and steal credentials at scale.

Source: SecurityWeek

A serious vulnerability in FreeBSD's default DHCP client — tracked as CVE-2026-42511 — lets attackers on the same local network execute commands as root, taking complete control of affected machines. Discovered by Joshua Rogers of the AISLE Research Team, the flaw stems from dhclient(8) failing to properly escape double-quotes when processing DHCP server responses, allowing injected commands to run with full system privileges. Every supported FreeBSD release is affected, including versions 13.5, 14.3, 14.4, and 15.0. Patches are already available. Admins should update immediately — and enabling DHCP snooping on network switches adds an effective extra layer of defense.

Source: Cybersecurity News

A sophisticated hacking campaign hit South-East Asian government and military targets by exploiting CVE-2026-41940, a critical CVSS 9.8 authentication bypass in cPanel and WHM. Attackers gained root-level access without valid credentials before a patch dropped on April 28, 2026. Beyond cPanel, hackers also cracked an Indonesian defense training portal using a CAPTCHA bypass and SQL injection, escalating to full OS access via PostgreSQL. The operation ended with 110 files (~4.37GB) stolen from the China Railway Society, including financial records with national ID numbers and bank details. Shadowserver tracked 44,000 IPs actively scanning for vulnerable servers. Patch cPanel immediately.

Source: Cybersecurity News

A sweeping supply chain attack dubbed "Mini Shai-Hulud," linked to the TeamPCP hacking group, has compromised over 1,800 developer repositories since April 29. Malicious versions of SAP NPM packages, Lightning PyPi (v2.6.2–2.6.3), intercom-client NPM (v7.0.4–7.0.5), and intercom-php (v5.0.2) were injected with credential-stealing malware. The malware harvests AWS keys, API tokens, VPN credentials, crypto wallet data, and more, exfiltrating it to GitHub repos and a dedicated domain. The payload also actively scans Kubernetes environments and HashiCorp Vault secrets. With the affected packages totaling nearly 30 million downloads combined, the blast radius could grow significantly.

Source: SecurityWeek

Rockstar Games has been hit by hackers for the second time in three years. A group called ShinyHunters — prolific English-speaking teen cybercriminals — claims to have breached servers managed by a third-party cloud provider and is threatening to publish stolen data after Rockstar refused to pay a ransom. Rockstar is downplaying the damage, telling the BBC the incident had "no impact" on the company or its players and that only "a limited amount of non-material information" was accessed. The breach echoes a 2023 hack by British teen Arion Kurtaj, who leaked GTA 6 footage and received an indefinite hospital order.

Source: BBC News

Researchers at Novee Security uncovered a critical vulnerability in Google's Gemini CLI that allowed attackers to execute arbitrary code on host machines — no prompt injection required. The flaw stemmed from Gemini CLI automatically trusting the current workspace folder, loading any agent configuration found there without sandboxing or human approval. A planted malicious config could expose secrets, credentials, and source code. In CI/CD pipelines, the risk escalated to full supply chain attacks. Google has since patched both Gemini CLI and the run-gemini-cli GitHub Action. The incident highlights a growing concern: AI coding agents now operate with trusted contributor-level access inside developer workflows.

Source: SecurityWeek