In today’s cybersecurity news…
Instructure reaches an “agreement” with ShinyHunters
In “things that won’t come back to bite them later” news, Instructure, the company that makes the edtech platform Canvas, said it “reached an agreement” with the group that breached their systems twice in two weeks, ShinyHunters. The company said the group provided evidence that the stolen data from its systems was destroyed, and received assurance that Canvas customers would not be extorted. No word on any specific financial terms paid by Instructure or what meaningful assurance they could have received. ShinyHunters removed Instructure from its leak site.
Shai Hulud campaign is back
Since its appearance last September, this campaign by TeamPCP has undergone several iterations, all focused on supply-chain attacks to steal developer credentials. This latest effort saw the group use valid OpenID Connect tokens to publish dozens of malicious packages for TanStack on npm, before spreading to other projects such as Minstral AI, OpenSearch, and UiPath. Since these used valid tokens, developers saw them as cryptographically authentic. Endor Labs highlighted a novel trick used by the campaign: an orphan commit pushed to a TanStack fork, making it accessible through GitHub’s shared fork object storage. This commit was then referenced in the malicious dependencies. Once infected, the infostealer malware writes itself into VS Code and Claude Code auto-run hooks, ensuring it persists even after uninstallation. The malware implements geofencing logic to prevent execution when Russian-language settings are detected, and includes probabilistic, recursive wipe commands if the environment appears to be in Israel or Iran.
OpenAI launches Daybreak
This new cybersecurity initiative uses OpenAI’s Codex Security and several GPT-5.5 models to create an editable threat model for a repository, with an emphasis on real-world attack paths and high-impact code. It will then test vulnerabilities in a sandbox and propose mitigations and fixes. Daybreak isn’t generally available yet. On its launch sites, users can request a vulnerability scan or contact sales to request access. Like the Mythos rollout, OpenAI says it’s working with industry and government partners to get ready to deploy these kinds of cyber-capable models.
EU members exporting surveillance tech
According to export records obtained through Freedom of Information requests by Human Rights Watch, six European Union member countries have exported surveillance tech to countries with previous records of human rights abuses. Bulgaria, the Czech Republic, Denmark, Finland, and Poland sold surveillance technologies to over two dozen countries with documented cases of repressing activists and journalists. This may only represent a subset of countries involved in the practice, as France, Germany, Greece, Italy, and Spain declined to share any export data. The data obtained by Human Rights Watch does not specify the names of the companies exporting the tech. The EU introduced regulations in 2021 to heavily regulate the export of surveillance technology.
Huge thanks to our sponsor, Doppel
But Doppel sees through the disguise. Our AI-native platform detects and disrupts attacks across every channel, while training employees to recognize deepfakes and deception.
We fight relentlessly to protect your business, brand, and people.
Doppel. Outpacing what’s next in social engineering.
Learn more at doppel.com
The government giveth and taketh away AI models
Last week, the U.S. Commerce Department announced that it reached an agreement with Google, xAI, and Microsoft to test AI models for security vulnerabilities on their systems ahead of their general release. However, this week, the U.S. Commerce Department removed that announcement from its site. No word from the Commerce Department on why the change was made.
In related news, the Pentagon announced it’s deploying Anthropic’s Mythos model to look for vulnerabilities across the U.S. government. According to DOD Chief Technology Officer Emil Michael, the Pentagon still plans to remove Anthropic products from its work in the coming months, but said that Mythos represented “a national security moment.”
Android gets Intrusion Logging
Google announced a new feature for Android, developed in partnership with Amnesty International, called Intrusion Logging. This is a feature of Android Advanced Protection Mode and is designed to provide logs specifically made for forensic investigations. These logs will record security incidents such as unlocking, physical access, and the installation or removal of spyware. At launch, this is only available on Android 16 and only on Pixel devices. Amnesty International frames this as “the first major vendor to proactively address the challenge of detecting advanced attacks on device.”
Cross-platform end-to-end encrypted RCS arrives on mobile
Apple and Google announced a beta rollout of end-to-end encrypted Rich Communication Services (or RCS) messaging. The rollout implements the GSM Association’s RCS Universal Profile 3.0. This will be available on iOS 26.5 and the latest version of Google Messages, although availability relies on carrier activation. Encrypted messages will show a lock icon in chat. This feature will be enabled by default, with Apple committing to apply encryption to existing RCS threads. Up until now, Android and iOS have had native end-to-end messaging, but this didn’t extend across platforms.
West Pharmaceutical still recovering from ransomware
According to filings with the U.S. Securities and Exchange Commission, the pharma giant West Pharmaceutical Services suffered a ransomware attack on May 4th, causing a “proactive shutdown and isolation of affected on-premise infrastructure.” This caused a temporary disruption to the company’s business operations globally. As of this recording, core enterprise systems and processes around shipping, receiving, and manufacturing have restarted at some locations, but the company does not yet have a complete timeline for a full restore. No known ransomware group has claimed responsibility for the attack, which may indicate that a ransom was paid. It’s unclear what data was stolen and how many people might have been impacted.
RubyGems suspends account sign-ups
The standard package manager for Ruby, creatively named RubyGems, announced it is “dealing with a major malicious attack.” This has impacted hundreds of packages, mostly targeting RubyGems, but some carrying active exploits. As a result, it temporary suspended new account signups. No word who is behind the attack. The company securing RubyGems, Mend.io, said it will release more details once it contains the attack.