Foreign routers get a longer lifeline.

The FCC eases restrictions on foreign-made routers. Shiny Hunters hit Canvas and Zara. SailPoint discloses unauthorized access to its GitHub repositories. TrickMo Android banking malware has more tricks up its sleeve. Polish officials warn of increased targeting of ICS and public infrastructure. A federal judge orders $10 million in restitution for stolen zero days. German authorities takedown the Crimenetwork marketplace, again. Monday business breakdown. Dan Lorenc, Chainguard CEO and co-founder, is talking about a recent wave of supply chain attacks. Malware gets signed, sealed and delivered.

Today is Monday May 11th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The FCC eases restrictions on foreign-made routers. 

The Federal Communications Commission has extended the deadline for foreign-made router manufacturers to provide security updates to US customers by nearly two years.

The FCC banned the import and sale of consumer-grade routers from certain foreign manufacturers in March 2026, citing national security concerns. Under the original order, vendors could continue shipping security patches until March 2027. A new public notice from the FCC’s Office of Engineering and Technology now extends that deadline until at least January 1, 2029. The exemption applies only to software and firmware updates that maintain device functionality or patch vulnerabilities. Vendors are still prohibited from adding new features. The same policy also applies to banned foreign-made drone systems and drone components.

Unpatched routers remain a common entry point for espionage and persistence operations. Recent campaigns linked to Volt Typhoon and Salt Typhoon demonstrated how poorly managed network infrastructure can provide attackers with long-term, low-visibility access into enterprise environments.

Shiny Hunters hit Canvas and Zara. 

The Canvas learning platform is back online after a cyberattack disrupted access for students and faculty at universities worldwide during final exam season.

Instructure, the company behind Canvas, said it took the platform offline after discovering an unauthorized actor had modified pages seen by some users. The company later restored service for most customers. Instructure said the attackers exploited an issue tied to Free-For-Teacher accounts, which have now been temporarily disabled. Threat analysts at Emsisoft said the hacking group ShinyHunters claimed responsibility and alleged nearly 9,000 schools were affected. According to available reports, the group also claimed access to billions of private messages and records, though Instructure has not confirmed the scope of compromised data.

The outage exposed how dependent schools have become on centralized digital learning systems for grades, coursework, and communications. Security researchers said the timing, just before final exams and project deadlines, likely increased pressure on affected institutions and students while amplifying disruption across campuses.

Elsewhere, another data breach linked to ShinyHunters exposed information belonging to more than 197,000 customers of global fashion brand Zara (ZARR-uh), according to HaveIBeenPwned. 

The breach stemmed from an April 2026 incident tied to analytics provider Anodot. HaveIBeenPwned said the stolen data included email addresses, product Stock Keeping Units, order IDs, and support ticket details. Zara parent company Inditex said payment information, passwords, and names were not affected. Researchers believe stolen Anodot authentication tokens were used to access downstream BigQuery and Snowflake environments tied to multiple companies.

The campaign highlights the growing risk posed by third-party service providers and exposed authentication tokens. According to available reports, millions of customers across several companies may have been impacted by the broader “pay or leak” operation.

SailPoint discloses unauthorized access to its GitHub repositories. 

Identity management firm SailPoint disclosed a cybersecurity incident involving unauthorized access to a subset of its GitHub repositories.

In an SEC filing, SailPoint said it detected the intrusion on April 20 and quickly contained the activity. The company said the repositories were compromised through a vulnerability in a third-party application, which has since been addressed. SailPoint said an investigation conducted with an outside cybersecurity firm found no evidence that customer production or staging environments were accessed or disrupted. Customers whose information was stored in the affected repositories were directly notified.

The incident highlights ongoing risks tied to third-party software dependencies and development environments. Details about the compromised data and threat actor remain unclear.

TrickMo Android banking malware has more tricks up its sleeve. 

Researchers at ThreatFabric say a new variant of the TrickMo Android banking malware is using The Open Network, or TON, to conceal communications with attacker infrastructure.

ThreatFabric said the malware, tracked as Trickmo.C, has targeted banking and cryptocurrency wallet users in France, Italy, and Austria since at least January. The malware disguises itself as TikTok or streaming applications and steals credentials through phishing overlays, screen recording, SMS interception, and keylogging. Researchers said the latest version routes command-and-control traffic through TON .ADNL addresses and an embedded local proxy, making infrastructure more difficult to identify or disrupt. The variant also adds network reconnaissance and tunneling capabilities, including SSH tunneling, SOCKS5 proxy support, and remote port forwarding.

The campaign reflects a broader shift toward decentralized infrastructure designed to resist takedowns and blend malicious traffic into legitimate encrypted network activity.

Polish officials warn of increased targeting of ICS and public infrastructure. 

Poland’s Internal Security Agency, or ABW, says cyberattacks targeting industrial control systems and public infrastructure intensified sharply through 2024 and 2025, including multiple breaches of municipal water treatment facilities.

In its annual report, ABW disclosed that attackers compromised operational systems at water plants in several Polish municipalities, including one August 2025 incident that nearly disrupted a city’s water supply before authorities intervened. Officials also linked broader sabotage campaigns targeting military and civilian infrastructure to Russian state-backed actors. Security researchers said many of the attacks exploited internet-exposed systems protected by weak passwords or outdated configurations rather than advanced malware. Researchers and vendors including Dragos and Anthropic also warned that artificial intelligence is lowering the barrier for identifying and targeting operational technology environments.

The incidents reflect growing concern that cyber operations are shifting from espionage toward direct interference with physical systems tied to water, transportation, and energy services. Analysts warn that smaller utilities remain especially vulnerable because of limited cybersecurity resources and increased reliance on internet-connected industrial systems.

A federal judge orders $10 million in restitution for stolen zero days. 

A US federal judge ordered former L3Harris Technologies executive Peter Joseph Williams to pay $10 million in restitution for stealing zero-day exploits from subsidiary L3 Trenchant and selling them to a Russian broker.

The ruling follows Williams’ earlier plea agreement requiring an additional $1.3 million payment, bringing total restitution to $11.3 million. Prosecutors had sought $35 million, arguing the stolen tools caused major business losses. Williams pleaded guilty last year to stealing eight hacking tools between 2022 and 2025 and selling them to Russian exploit broker Operation Zero under agreements reportedly worth about $4 million. Prosecutors said the exploits could have enabled access to millions of devices worldwide. Williams was sentenced in February to more than seven years in prison and faces possible deportation to Australia after release.

The case underscores growing concerns around insider threats within offensive cyber operations and the commercial market for zero-day exploits used in intelligence and military activities.

German authorities takedown the Crimenetwork marketplace, again. 

German authorities announced the takedown of the revived Crimenetwork cybercrime marketplace and the arrest of a suspected administrator in Spain.

Police said the German-language platform reappeared days after the original Crimenetwork was dismantled in December 2024. The newer version had more than 22,000 users and over 100 sellers trading stolen data, drugs, and forged documents. Investigators said the marketplace generated more than €3.6 million in revenue through cryptocurrency transactions. Authorities also seized roughly €194,000 in assets and collected extensive user and transaction records for further analysis.

The operation highlights continued law enforcement pressure on major underground marketplaces despite rapid attempts by operators to rebuild infrastructure.

Monday business breakdown. 

Cybersecurity investment activity continued to surge this week, driven largely by demand for AI security, identity protection, and offensive security platforms.

Seattle-based XBOW raised an additional $35 million in Series C funding, bringing the round total to $155 million. Swiss ethical hacking firm Bug Bounty Switzerland secured $15.3 million to expand AI-driven security testing, while AI-focused startups including General Analysis and Herd Security also announced new funding rounds. The week also saw a wave of acquisitions centered on AI and identity security. Palo Alto Networks agreed to acquire AI security gateway firm Portkey, while Cisco announced plans to acquire Israeli identity security startup Astrix Security for $400 million.

The deals reflect growing industry focus on securing AI agents, operational technology, and non-human identities as enterprises rapidly expand AI adoption. Vendors are also investing heavily in continuous security validation and AI-assisted defensive tooling.

 

 

Malware gets signed, sealed and delivered. 

Hackers breached DigiCert in April by posing as a customer in a support chat and convincing an employee to repeatedly open a malicious file disguised as a screenshot. Persistence, apparently, still works.

According to DigiCert’s incident report, the malware was initially blocked multiple times by internal security tools before finally infecting a support workstation on the fifth attempt. A second compromised machine with a malfunctioning CrowdStrike sensor then gave attackers access to internal certificate order systems. DigiCert said the intruders obtained initialization codes tied to EV code-signing certificates, which they later used to sign malware, including Zhong Stealer. Researchers eventually discovered the abuse after noticing malware carrying legitimate DigiCert signatures. The company revoked 60 certificates and canceled pending orders linked to the incident.

The breach highlights how social engineering and operational blind spots can undermine even highly trusted security infrastructure. DigiCert also acknowledged that without an outside researcher flagging the issue, the certificate theft operation might have continued unnoticed.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.