The four-day race you don’t want to be in.
CISA orders rapid patching of actively exploited Ivanti zero-day. Canvas gets hacked during finals week. Dirty Frag is a new Linux zero-day. Researchers document a serious Claude Chrome extension bug. Meta ends Instagram encryption. PCPJack malware clean house before moving in. A new report highlights quantum-era cryptographic threats. Cloudflare announces layoffs amidst AI deployment. Sri Lankan police shut down a scam center. Maria Varmazis joins me to look back at ten years of geopolitics in cyber. Vibe coding reveals valuable data.
Today is Friday May 8th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
CISA orders rapid patching of actively exploited Ivanti zero-day.
The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, has ordered federal agencies to secure Ivanti Endpoint Manager Mobile systems within four days after attackers exploited a high-severity vulnerability in zero-day attacks.
Tracked as CVE-2026-6973, the flaw allows remote code execution on Ivanti EPMM 12.8.0.0 and earlier when attackers have administrative privileges. Ivanti released patched versions and urged customers to review and rotate admin credentials. The company said exploitation appears limited and affects only on-premises EPMM deployments, not Ivanti’s cloud or other product lines. Shadowserver reports more than 800 exposed EPMM appliances remain online.
The directive highlights the continued risk posed by internet-facing management platforms, especially when active exploitation is already underway. CISA warned the vulnerability presents significant risk to federal networks and ordered agencies to patch affected systems by May 10.
Canvas gets hacked during finals week.
Educational software provider Canvas is investigating a cybersecurity incident after widespread login outages and claims of responsibility from the hacking group ShinyHunters.
Canvas developer Instructure confirmed the incident in a May 2 status update and said outside forensic experts are assisting the investigation. Reports earlier this week described login failures that displayed messages allegedly from ShinyHunters, which claimed poor patching enabled the disruption. The group also claimed to have stolen data from schools and universities using Canvas and threatened to leak it unless a settlement is reached by May 12. Several universities temporarily blocked access to the platform and warned students about increased phishing risks.
The incident underscores the operational impact ransomware and extortion campaigns can have on widely used software-as-a-service platforms, especially in education environments that depend on centralized systems for coursework and assignments.
Dirty Frag is a new Linux zero-day.
A newly disclosed Linux zero-day vulnerability called Dirty Frag allows local attackers to gain root privileges on many major Linux distributions using a publicly released proof-of-concept exploit.
Researcher Hyunwoo Kim says the flaw stems from Linux kernel code introduced roughly nine years ago in the algif_aead cryptographic interface. Dirty Frag chains two kernel vulnerabilities to modify protected system files in memory and escalate privileges without authorization. Kim described the exploit as highly reliable because it does not depend on race conditions or timing windows. The flaw affects distributions including Ubuntu, Red Hat Enterprise Linux, Fedora, CentOS Stream, AlmaLinux, and openSUSE Tumbleweed. No CVE identifier or official patches are currently available after a public disclosure embargo was broken.
The disclosure adds pressure on Linux administrators already responding to other actively exploited privilege-escalation flaws, including Copy Fail and Pack2TheRoot, both patched or mitigated only recently.
Researchers document a serious Claude Chrome extension bug.
Researchers at browser security firm LayerX disclosed a vulnerability in Anthropic’s Claude Chrome extension that could let malicious browser plugins hijack the AI agent and bypass security controls.
According to LayerX, the flaw allows any browser extension to communicate with Claude’s large language model without verifying the source of the request. Researcher Aviad Gispan demonstrated attacks that extracted files from Google Drive, accessed email activity, sent emails as the user, and stole source code from connected GitHub repositories. The researchers also manipulated Claude’s interface to hide security prompts and sensitive actions from users. LayerX said Anthropic issued a partial fix on May 6, but some takeover scenarios reportedly remained possible.
The research highlights growing concerns around AI agents that can interact directly with browsers, files, and cloud services. Security experts warned traditional prompt-layer monitoring may not detect attacks that manipulate the agent’s perceived environment instead of the model itself.
Meta ends Instagram encryption.
Meta has ended end-to-end encrypted direct messages on Instagram, saying few users enabled the feature and directing users to WhatsApp for encrypted communications.
Privacy advocates criticized the move, warning it weakens protections for journalists, activists, and abuse survivors who rely on secure messaging. Groups including the Center for Democracy & Technology questioned how Meta will handle previously encrypted chats and warned users could face greater surveillance and interception risks. Meta has not publicly clarified whether standard Instagram messages could eventually be used in broader data analysis or ad-targeting systems.
PCPJack malware clean house before moving in.
Researchers at SentinelOne have identified a new malware framework called PCPJack that removes TeamPCP malware from compromised systems before deploying its own credential-stealing and propagation tools.
Active since late April, PCPJack targets Linux environments and appears designed to spread across cloud and enterprise infrastructure. SentinelOne believes the operator may be a former TeamPCP member because the framework specifically hunts for and deletes TeamPCP artifacts before installing modular Python-based malware components. The framework steals credentials, tokens, SSH keys, and cryptocurrency wallets tied to services including AWS, GitHub, Slack, Docker, Gmail, and Office 365. It also attempts lateral movement through Kubernetes, Redis, MongoDB, and vulnerable web applications while using Telegram for command-and-control communications.
The campaign highlights how cybercriminal operators increasingly compete for access to compromised systems, while modular malware frameworks continue expanding beyond traditional endpoints into cloud-native infrastructure.
A new report highlights quantum-era cryptographic threats.
Recorded Future is warning that quantum computing risks are no longer theoretical, as organizations face growing pressure to prepare for a future where quantum systems can break today’s encryption standards.
In a new report, the company said the biggest threat comes from cryptographically relevant quantum computers, or CRQCs, which could eventually defeat widely used public-key encryption systems such as RSA and Elliptic Curve Cryptography. Recorded Future warned that “harvest now, decrypt later” activity is already underway, with threat actors potentially collecting encrypted data today for future decryption once quantum capabilities mature. The report noted that long-lived sensitive information, including government records, intellectual property, healthcare data, and financial information, faces the greatest exposure risk.
The company also said organizations delaying post-quantum cryptography migration beyond 2026 could face higher costs, compressed timelines, and operational disruption as regulatory and procurement requirements accelerate adoption.
Cloudflare announces layoffs amidst AI deployment.
Cloudflare announced plans to reduce its global workforce by more than 1,100 employees, framing the move as part of a broader restructuring around what it calls the “agentic AI era.”
In a message to employees, company leaders said internal AI usage has surged more than 600% in recent months, changing how teams across engineering, HR, finance, and marketing operate. The company stressed the layoffs were not tied to employee performance but to a larger effort to redesign workflows and organizational structures around AI-driven operations. Cloudflare also pledged expanded severance, healthcare support, and accelerated equity vesting for affected workers.
The announcement lands amid continuing technology-sector layoffs as companies race to integrate AI tools while reducing costs and restructuring teams. For employees across the industry, these cuts reflect a painful transition period where years of work and loyalty are colliding with rapid shifts in how companies believe future work will be done.
Sri Lankan police shut down a scam center.
Sri Lankan police have arrested 37 Chinese nationals suspected of operating a scam center in a suburb of Colombo, part of a broader regional crackdown on online fraud operations.
Authorities said the suspects were detained during a May 2 raid in Talangama after a tip-off led officers to a property allegedly housing people working illegally or overstaying tourist visas. Police seized dozens of devices, including 147 mobile phones and 100 SIM cards. Investigators believe the operation may have been tied to romance-baiting cryptocurrency scams, where victims are manipulated through dating apps or unsolicited messages before being directed to fake investment platforms.
The arrests follow similar raids in recent months involving hundreds of foreign nationals. The United Nations and Interpol have warned many workers inside these scam compounds may themselves be victims of human trafficking and forced labor.
Vibe coding reveals valuable data.
The promise of “vibe coding” was simple: describe an app in plain English, click publish, and suddenly everyone’s a software developer. Unfortunately, some of those developers also accidentally became system administrators with the security habits of an unlocked filing cabinet.
According to reporting by Andy Greenberg for Wired, researchers at RedAccess found more than 5,000 publicly accessible web apps built with AI coding platforms including Lovable, Replit, Base44, and Netlify that lacked meaningful security protections. According to the researchers, many exposed sensitive business and personal information, including medical records, financial data, internal strategy documents, chatbot logs, and cloud credentials. In some cases, the apps reportedly allowed administrative access with little or no authentication.
The findings echo earlier waves of cloud storage misconfigurations, where easy-to-use platforms collided with limited security expertise. Researchers warn AI coding tools are now putting powerful application development capabilities into the hands of employees who may never pass through traditional security review processes, if they pass through any process at all.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
N2K’s lead producer is Liz Stokes. We’re mixed by Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.
