Update on the Instructure breach we covered May 2: Instructure confirmed Saturday that names, email addresses, student ID numbers, and private messages between students and teachers were exposed. ShinyHunters now claims 275 million individuals across 9,000 schools worldwide are in the dataset, totaling 3.65+ TB of data including billions of private messages. The group set a pay-or-leak deadline of May 6 - this Tuesday. The Salesforce instance was also breached. This is Instructure's second breach in eight months. PowerSchool's January 2025 breach with similar scope produced a $17.25 million settlement.
La Repubblica reported a significant breach at Sistemi Informativi, a wholly-owned IBM Italy subsidiary that manages IT infrastructure for Italian public agencies and key industries. Multiple intelligence sources attribute the attack to Salt Typhoon, the China-linked espionage group that has hit US telecoms (AT&T, Verizon, Viasat), Canadian telecom firms, the US Army National Guard, Dutch government networks, and now Italian critical infrastructure. Salt Typhoon's hallmark is patience - prolonged data exfiltration, silent network observation, and infrastructure compromise rather than fast theft. The group has been active since at least 2019 and has reportedly hit 200+ companies across 80 countries.
Marcus & Millichap customer data was leaked publicly after the company refused to pay ShinyHunters' extortion demand. Have I Been Pwned added the breach yesterday with 1,837,078 unique email addresses, plus names, phone numbers, employer names, job titles, and company addresses. Marcus & Millichap is a major US commercial real estate brokerage that closed $50.9 billion in transactions in 2025. The company says the leaked data 'appeared limited to company forms, templates, marketing materials, and general contact information' but ShinyHunters originally claimed 30 million Salesforce records. The leak extends the ShinyHunters wave that already published Pitney Bowes, Carnival, Udemy, ADT, and ZenBusiness.
CTM360 disclosed a large-scale fraud platform called FEMITBOT that uses Telegram's Mini App feature to host crypto scams, impersonate major brands, and distribute Android malware. The platform impersonates Apple, Coca-Cola, Disney, eBay, IBM, NVIDIA, BBC, and others - all backed by the same shared infrastructure identified by a common API response. The mini-apps display fake balances, countdown timers, and limited-time offers inside Telegram's WebView. Some campaigns push fake Android APKs hosted on the same domain as the API to ensure valid TLS certificates. Meta and TikTok tracking pixels measure conversion rates.
Trellix, the cybersecurity company formed from the 2022 merger of McAfee Enterprise and FireEye, disclosed Friday that attackers reached part of its source code repository. The company says it has 'no evidence' that source code releases were tampered with, that the source code itself was exploited, or that customer data was affected - but it has not said how long the attackers had access, who they were, or what they took. Trellix is now working with outside forensics firms and has notified law enforcement. Trellix sells endpoint protection, email security, and managed detection products to enterprise and government customers. The company has not given a timeline for further disclosure.
Update on the cPanel flaw covered April 30: attackers are now mass-exploiting CVE-2026-41940 to deploy a Linux ransomware called 'Sorry' that encrypts websites and demands payment to unlock them. Shadowserver confirms at least 44,000 cPanel hosts have been compromised, with hundreds of victim sites already showing up in Google search results. The Sorry encryptor is written in Go, uses ChaCha20 with an embedded RSA-2048 public key (so victims cannot recover files without the attacker's private key), and appends '.sorry' to filenames. KnownHost reports the cPanel flaw was being exploited as a zero-day since at least February 23.
Push Security disclosed ConsentFix v3, a new attack that lets criminals take over Microsoft 365 accounts even if the victim has MFA and phishing-resistant passkeys turned on. The trick: instead of stealing a password, the attacker tricks the user into pasting a Microsoft authorization URL into a phishing page during what looks like a routine login. That URL contains a one-time code that the attacker exchanges for permanent access tokens. v3 automates the whole attack with Cloudflare Pages phishing sites, Pipedream webhook automation, and tenant fingerprinting that customizes the lure to each target organization's branding.
ZenBusiness customer data is now public on Have I Been Pwned, with 5,118,184 unique email addresses confirmed - alongside names, phone numbers, and CRM records pulled from Snowflake, Mixpanel, and Salesforce. ShinyHunters had threatened to publish the data in March after a failed extortion attempt; HIBP added the dataset yesterday. ZenBusiness is the AI-driven LLC formation and small business compliance platform backed by Mark Cuban. The breach extends the ShinyHunters wave that's already publicly released Pitney Bowes (8.2M), Carnival (7.5M), Udemy (1.4M), ADT (5.5M), and now ZenBusiness.
Socket disclosed a fresh wave of supply-chain attacks targeting Ruby gems and Go modules: more than 60 typosquatted packages were uploaded to RubyGems and the Go module registry, designed to look like legitimate dependencies developers might pull into a CI pipeline. Once installed, the packages exfiltrate environment variables (which typically include AWS keys, GitHub tokens, and database credentials in CI environments) to attacker-controlled servers. The targeting is deliberate: typosquats picked names close to popular gems and Go libraries. This is the same operational pattern as the SAP npm compromise covered Wednesday, but targeting Ruby and Go ecosystems.
Instructure disclosed Friday that a 'criminal threat actor' breached its systems. The company runs Canvas, the learning management platform used by schools, universities, and corporate training programs - and a successful breach exposes student records, teacher records, course content, and grades. Instructure has not said how many users are affected or what data was taken, only that outside forensics are investigating. Canvas Data 2 and Canvas Beta have been in maintenance since May 1, with customers warned about API key issues. The pattern matches the January 2025 PowerSchool breach, which exposed data on 62 million students and is still being followed by ransom demands against individual schools.
TrustStrike Labs