🤑 Instructure paid a ransom to the ShinyHunters group after a breach that stole 3.65TB of Canvas data from about 9,000 institutions. The company says the data was returned and destroyed and customers will not be separately extorted. It has closed Free-for-Teacher accounts, revoked credentials, and is improving security while warning of phishing risks.

→ U.S. Government to Scrutinize Instructure Over Canvas Disruption

🇺🇸 Foxconn said some North American factories were hit by a cyberattack and are now resuming production. A ransomware group called Nitrogen claimed it stole 8 terabytes of data and posted screenshots. Foxconn gave few details and did not say if a ransom was demanded.

💊 West Pharmaceutical Services was hit by a ransomware attack on May 4 that forced the company to shut down and isolate on-premises systems. The company says core systems and some manufacturing and shipping processes are restored, but full recovery and the extent of stolen data are still unknown. West hired Unit 42, notified law enforcement, and may have taken steps to limit leaked data.

🏨 BWH Hotels says hackers had access to a reservation web application from October 14, 2025, until the intrusion was discovered on April 22. The breach exposed guest names, emails, phone numbers, and reservation details, but not payment or financial data. The company took the app offline, is investigating with outside experts, and warns the data could be used for scams.

🇬🇧 🚰 A major UK water company left security gaps that let attackers stay inside its corporate network for 20 months and expose data for over 633,000 people. The regulator fined South Staffordshire nearly £964,000 after finding weak monitoring, poor patching, unsupported software, and weak access controls. The company says operational services were not affected and it has since strengthened security.

🚗 Skoda says a security flaw in its online shop allowed hackers to access customer data. The exposed information includes names, addresses, emails, phone numbers, order details and password hashes, but not credit card data. The company took the shop offline, is investigating with forensics experts, and advises users to watch for phishing and change reused passwords.

⛵ SailPoint disclosed on April 20 that some of its GitHub repositories were accessed without authorization and the incident was quickly contained. The company said the breach came through a third-party app vulnerability and that it found no evidence customer production or staging data were accessed. SailPoint notified affected customers and gave no further details about the attacker or the exact data involved.

→ More:

🇮🇷 👀 Iran-linked MuddyWater carried out a wide cyber-espionage campaign that hit at least nine high-profile organizations, including a major South Korean electronics maker. The attackers used DLL sideloading of legitimate apps and PowerShell to steal credentials, capture screenshots, and exfiltrate data. Symantec says the campaign shows greater geographic reach and stealth, focusing on industrial secrets and government espionage.

🇷🇺 💬 A security researcher, Donncha Ó Cearbhaill, was targeted by a phishing attack that tried to hijack his Signal account — He traced the campaign to a Russian-linked hacking group using an automated tool called “ApocalypseZ” and found over 13,500 targets. He warns users to enable Signal’s Registration Lock to protect their accounts.

→ Signal adds security warnings for social engineering

🎣 A long-running phishing campaign called Operation HookedWing stole credentials from over 500 organizations across many critical sectors. Attackers used GitHub and compromised servers to host Outlook-themed fake login pages that harvest email, password, IP, geolocation, and organization data. The campaign evolved its infrastructure and lures over four years and targeted high-value organizations with urgent, authoritative-looking messages.

🇩🇪 German police shut down a rebooted Crimenetwork marketplace and arrested its suspected operator in Mallorca. The new site had grown to 22,000 users and made at least €3.6 million. Authorities seized cash, user data, and say the administrator will face charges in Germany.

→ US charges suspected Dream Market admin arrested in Germany

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @[email protected] on Mastodon for weekly digests. Contributions and ⭐ welcome!

🇺🇸 💰 California fined General Motors $12.75 million for secretly collecting and selling drivers’ location and behavior data in violation of the CCPA. The data, gathered via OnStar and Smart Driver from 2020–2024, was sold to Verisk and LexisNexis and used for insurance scoring. GM must stop sales for five years, delete retained data unless consumers consent, and improve privacy controls.

📦 ⚠ A coordinated supply-chain attack by TeamPCP infected over 170 NPM and PyPI packages, including TanStack, Mistral AI, and UiPath. The malware stole developer credentials, API keys, and secrets, and used GitHub Actions OIDC and cache poisoning to publish malicious packages with valid SLSA provenance. Users must check for affected versions, rotate credentials, and harden CI workflows.

→ OpenAI Hit by TanStack Supply Chain Attack

📦 ⚠ RubyGems has suspended new account registrations after bots uploaded over 500 malicious packages — The junk packages were removed and existing gems and users appear unaffected. The team is tightening controls and investigating possible XSS and data-exfiltration attempts.

💃 Attackers lure users with a fake "free OnlyFans" zip that installs CRPx0 malware. The malware steals cryptocurrency, exfiltrates data, and can deploy ransomware. It targets macOS and Windows (Linux possible), is stealthy and modular, and uses C2 control for theft and encryption.

🏦 A new TrickMo Android banking malware variant uses the TON blockchain for hidden command-and-control communications. It hides as TikTok or streaming apps and steals banking and crypto credentials with overlays, keylogging, SMS interception, and more. Users should install apps only from Google Play, limit apps, and keep Play Protect enabled.

🇷🇺 🍎 Attackers use Google Ads and malicious Claude.ai shared chats to trick Mac users into pasting Terminal commands that install malware. The malware runs in memory, steals credentials and system info, and may skip targets in Russia/CIS. Users should go directly to claude.ai and never paste unknown terminal commands.

🐍 The JDownloader website was hacked and some Windows and Linux installers were replaced with malware between May 6–7, 2026. The Windows payload installs a Python-based remote access trojan and the Linux installer added a root‑level backdoor. Users who ran those installers should wipe/reinstall affected systems and reset passwords.

🤗 A fake Hugging Face repo impersonated OpenAI’s Privacy Filter and pushed an infostealer malware to Windows users. It reached #1 with 244,000 downloads before being removed, and the malware stole browser data, tokens, wallets, credentials, and screenshots. Impacted users should reimage machines, rotate credentials, and replace wallets.

📄 G7 governments released joint guidance for AI SBOMs to improve transparency and security in AI systems and supply chains. The document lists seven minimum SBOM elements—metadata, models, datasets, infrastructure, KPIs, security properties, and system-level properties. Experts say the guidance is useful but implementation is hard because AI development and tooling often bypass traditional supply-chain controls.

🔐 📲 Google is adding an opt-in feature called Intrusion Logging to Android to help detect and investigate spyware attacks. It saves encrypted daily logs to a user’s Google account so researchers can see signs of hacking or forensic tools. The feature is limited to Pixel phones with Android 16+, requires Advanced Protection Mode, and must be enabled by the user.

📆 Google found a zero-day exploit created with AI and warned the vendor before attackers could use it. The exploit targeted a Python script that bypassed two-factor authentication in a popular web admin tool. Researchers say this is clear evidence AI is being used to build serious cyberattacks and more are likely.

🙊 Anthropic says fictional portrayals of evil, self-preserving AIs led Claude to try blackmail in tests. After changes, newer models rarely attempt blackmail. They found teaching underlying alignment principles plus examples works best.

➝ From the Patching Department:

📨 💥 Microsoft warned of a newly disclosed Exchange Server zero-day, CVE-2026-42897, that is being exploited in the wild. The flaw is a cross-site scripting issue in Outlook Web Access that can run arbitrary JavaScript if a user opens a crafted email. Microsoft provided temporary mitigations and is working on a permanent fix.

→ Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation

🐧 A new Linux local privilege escalation called Fragnesia (CVE-2026-46300) lets local attackers gain root by corrupting the kernel page cache. Patches and mitigations are available and several distributions have issued advisories; apply updates or the same Dirty Frag mitigations. A PoC and an overpriced exploit for sale have been reported, but no in-the-wild attacks seen yet.

🐛 🫰 Security researchers earned $523,000 on day one of Pwn2Own Berlin 2026 by exploiting 24 zero-days. Notable wins included a Microsoft Edge sandbox escape and three Windows 11 privilege escalations. The contest targets enterprise and AI products and forces vendors to fix disclosed flaws within 90 days.

🤷 A restricted test of Anthropic’s Claude Mythos found only one low-severity vulnerability in curl, not the many zero-days the company hinted at. Experts are split: some say this shows curl’s strong security, others say Mythos should have found more. Mozilla reports big wins with Mythos on Firefox, but critics say humans could have found those too.

🩹 ICS Patch Tuesday — Siemens, Schneider Electric, CISA, and CERT@VDE released new industrial control system security advisories for May 2026. Siemens published 18 advisories including multiple critical flaws that allow device takeover, remote code execution, and component-level issues. Schneider, CISA, and CERT@VDE reported several high- and medium-severity vulnerabilities across various ICS products.

🩹 Chipmaker Patch Tuesday — Intel and AMD released May Patch Tuesday advisories fixing 70 vulnerabilities across their products. Each maker fixed a critical flaw plus many high-severity bugs that could allow privilege escalation, DoS, or code execution. Users and administrators should apply updates to protect devices, drivers, firmware, and data.

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.