ShinyHunters defaces Canvas portals during finals week.

Summary

By the N2K CyberWire staff

ShinyHunters defaces Canvas portals during finals week.

The ShinyHunters criminal gang yesterday defaced Canvas login portals belonging to hundreds of schools and universities as part of its extortion campaign against educational technology giant Instructure, BleepingComputer reports. It's unclear how the attackers hacked Canvas, but the extortion group told TechCrunch that it was caused by a second, separate breach. The incident disrupted customers' access to the platform at a time of year when many schools are conducting their final exams.

Instructure, which owns the Canvas learning management software, confirmed a data breach last week after ShinyHunters listed the company on its leak site. The company said the stolen data "consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users." ShinyHunters posted a message on the defaced websites threatening to publish the stolen data on May 12th unless Instructure pays a ransom.

The browser is the new endpoint. Are you securing it?

Today’s work happens in the browser - but that’s also where new risks live. From shadow IT to session-based threats, critical activity often goes unseen.

NordLayer Browser gives IT teams visibility and control inside the browser itself—helping protect company data and enforce security across SaaS apps without disrupting workflows.

If your security stack stops short of the browser, it may be time to take a closer look.

CISA orders Federal agencies to patch Ivanti zero-day by Sunday.

Ivanti yesterday issued fixes for five vulnerabilities affecting Endpoint Manager Mobile (EPMM), including an actively exploited zero-day that can allow a remotely authenticated user with administrative access to achieve remote code execution, Help Net Security reports. The zero-day, tracked as "CVE-2026-6973," is caused by improper input validation.

Ivanti stated, "We are aware of a very limited number of customers exploited with CVE-2026-6973. Successful exploitation requires Admin authentication. If customers followed Ivanti’s recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced. We recommend customers review accounts with Admin rights, and rotate those credentials, where necessary."

The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog and ordered Federal agencies to apply patches by Sunday, May 10th.

Join SASEfy 2026: The Summit for SASE and AI on May 20

AI adoption across tools, applications, and agents is outpacing governance. Teams must understand where AI introduces risk, how data is exposed, and how agentic behavior impacts control. Join Cato, Microsoft, Forrester, and Dayforce at SASEfy 2026, the summit for SASE and AI, on May 20 at 12p ET to identify risk, secure AI, and adapt Zero Trust for agentic AI.

Sri Lankan police shut down scam center.

Sri Lankan police have arrested thirty-seven Chinese nationals accused of running a scam center in Colombo, the Straits Times reports. A source told the Times that police seized 35 tablet computers, 147 mobile phones, and 100 SIM cards. A police spokesperson said the suspects had "entered the country on tourist visas and were illegally employed, while two of them had overstayed their visas."

Sri Lankan authorities last month arrested 152 foreign nationals, most of them Chinese, for allegedly running a separate scam center out of a hotel on the island. The Chinese embassy said at the time that it was working with Sri Lanka to crack down on these operations.

Track global cyber threats with the Microsoft Threat Intelligence podcast

Step into the frontlines of cyber defense with the Microsoft Threat Intelligence podcast. Hear from intelligence experts as they share how they track APTs, gangs, malware, and emerging vulnerabilities. Each episode delivers key insights into espionage, attacker tradecraft, and the skills needed for modern threat hunting. Listen in and stay one step ahead.

Notes.

Today's issue includes events affecting , and the United States.

Attacks, Threats, and Vulnerabilities

‘PCPJack’ Worm Removes TeamPCP Infections, Steals Credentials (SecurityWeek) The malware framework targets web applications and cloud environments, including AWS, Docker, Kubernetes, and more.

New Linux 'Dirty Frag' zero-day gives root on all major distros (BleepingComputer) A new Linux zero-day vulnerability, named Dirty Frag, allows local attackers to gain root privileges on most major Linux distributions with a single command.

Marketplace

Cloudflare stock sinks as company slashes 20% of its workforce, citing AI (Yahoo Finance) Cloudfa issued a Q2 sales forecast on Thursday that fell short of analyst expectations and said it would slash roughly 1,100 jobs, or about a fifth of its workforce, as it adopts artificial intelligence tools in its operating model.

Technologies, Techniques, and Standards

Meta U-turns on encryption push for Instagram as DMs go plaintext (The Register) After years of insisting end-to-end encryption was the future of online comms, Zuckcorp has handed itself full visibility into user chats once again

Quantum Risk Explained (Recorded Future) Learn how the "Harvest Now, Decrypt Later" (HNDL) risk exposes long-lived sensitive data today, regardless of when Cryptographically Relevant Quantum Computers (CRQCs) arrive.

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

CyberArk IMPACT 2026 (Austin, Texas, USA, May 11 - 13, 2026) At CyberArk IMPACT, cybersecurity practitioners and leaders will come together to explore today’s #1 attack vector – identity. Attendees will acquire a deep understanding of the latest developments in identity-based cyberattacks, including sophisticated attacker techniques that leverage AI and other methods. And most importantly, they will learn how to shut out attackers and prevent unauthorized access by securing every identity across the organization with the right level of privilege controls.

VeeamON 2026: Data & AI Trust Converge for the Agentic Era (Virtual and New York, New York, USA, May 12, 2026) VeeamON Online broadcasts the NYC keynote and select breakout content live and on demand. You’ll hear directly from the teams building the platforms, the customers operating at scale, and the leaders navigating real-world AI risk.

KB4-CON 2026 (Orlando, Florida, USA, May 12 - 14, 2026) Since its inception in 2018, KB4-CON has evolved from a user-focused gathering to the must-attend event for anyone serious about staying ahead in the security landscape. It is the human risk management industry’s premier event, bringing together KnowBe4 customers, channel partners, prospects, plus security advocates and industry professionals. This is your exclusive opportunity to engage with and learn from the industry’s most influential players, all under one roof.

ASCEND 2026 (Washington, DC, USA, May 19 - 21, 2026) ASCEND connects the civil, commercial, and national security space sectors, along with adjacent industries, to embrace the opportunities and address the challenges that come with increased activity in space. Building our sustainable off-world future requires long-term thinking. Strategic planning, innovation, scientific exploration, and effective regulations and standards will help us preserve space for future generations. ASCEND will enable the technical exchanges, debates, and collaboration that will help forge a sustainable off-world future for all.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry's largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust N2K CyberWire to get the message out. Learn more.

Daily Briefing for 05.08.26

Top stories.

ShinyHunters defaces Canvas portals during finals week.

CISA orders Federal agencies to patch Ivanti zero-day by Sunday.

Sri Lankan police shut down scam center.

Notes.

Attacks, Threats, and Vulnerabilities

Marketplace

Technologies, Techniques, and Standards

Events