This Week in Cybersecurity: 275 Million Canvas Records, a Palo Alto Firewall Zero-Day, and AI Writes Its First Real Exploit

Explore this content with AI:

ChatGPT | Perplexity | Claude | Google AI Mode

Canvas / Instructure breached twice in eight days; ShinyHunters claims 275 million records and 8,809 institutions

On May 7, ShinyHunters defaced hundreds of school login portals on the Canvas learning platform with a ransom message, ending a week-long extortion sequence that has now been called the largest known education-sector breach on record. The initial intrusion at Canvas operator Instructure was detected on April 29, and the company said it had revoked the intruder's access and contained the incident. ShinyHunters' May 7 follow-up defacement — which replaced the Canvas login page with a ransomware-style notice — made clear that containment had not held. The group claimed it had exfiltrated 3.65 TB of data covering roughly 275 million students, teachers, and staff across 8,809 universities, school districts, and education ministries worldwide.

On May 11, Instructure confirmed it had reached a payment agreement with ShinyHunters and that the stolen dataset had reportedly been destroyed as part of the deal. The disclosed scope of the exfiltrated data includes usernames, email addresses, course enrollments, instructor and student names, and private messages exchanged through the platform. Passwords and payment data were not affected, according to Instructure. Some institutions were locked out of Canvas during finals week, with school IT teams scrambling to issue manual workarounds for grading and final exams.

Why it matters: Whatever Instructure was able to negotiate, the underlying dataset has been outside the company's control for at least two weeks — and "destroyed as part of the deal" is functionally an honor-system claim. Education sector security operates on different economics than most enterprise verticals, with stretched IT staff, sprawling third-party integrations, and PII collection mandated by accreditation rather than chosen by the organization. The lesson from this breach is operational, not technical: any organization whose business model requires it to aggregate millions of records from thousands of customers needs a recovery playbook that does not depend on the attacker's promises. For institutions that integrate with Canvas, treat the next 30 days as elevated phishing risk — student and staff identifiers from this dataset will fuel targeted social engineering for months.

Read more at The Hacker News

Palo Alto firewall captive portal zero-day exploited as root for four weeks before disclosure (CVE-2026-0300)

On May 5, Palo Alto Networks disclosed CVE-2026-0300, a critical buffer overflow in the User-ID Authentication Portal — the captive portal service in PAN-OS — that allows unauthenticated remote code execution with root privileges on internet-exposed PA-Series and VM-Series firewalls. The company's Unit 42 writeup reconstructed the campaign back to April 9, when attackers began probing exposed captive portal endpoints. Within a week, those probes had escalated to working RCE and shellcode injection. Post-exploitation, attackers dropped EarthWorm and ReverseSocks5 — network tunneling tools previously attributed to China-nexus groups, including Volt Typhoon and APT41 — to establish persistent proxy access to compromised environments.

Palo Alto Networks stopped short of formal attribution but said the activity pattern is consistent with a state-sponsored operator. Shadowserver is tracking more than 5,800 PAN-OS VM-Series firewalls currently exposed online, the majority in Asia (2,466) and North America (1,998). Software fixes are expected to begin rolling out on May 13. Until patches arrive, Palo Alto is recommending customers restrict captive portal access to known IP ranges, audit firewall configurations and logs for the EarthWorm and ReverseSocks5 indicators of compromise published by Unit 42, and treat any internet-facing PA/VM-Series device as potentially exposed since April 9.

Why it matters: Network edge appliances remain the highest-value initial access target for state-sponsored actors, and 2026 has now seen exploited zero-days in three major firewall product lines — Cisco ASA, Fortinet FortiClient EMS, and now PAN-OS. The pattern is recurring because the targets are stable: a successful exploit on an internet-facing security appliance grants persistent access with implicit network trust on the inside. Organizations running PA or VM-Series firewalls should assume that anything internet-facing without restricted captive portal access has had a 4-week exposure window and audit accordingly. Patch immediately on May 13.

Read more at BleepingComputer

Google identifies the first AI-developed zero-day used in mass exploitation

On May 11, Google's Threat Intelligence Group published what it described as the first confirmed instance of an AI-developed zero-day exploit observed in active mass exploitation. The exploit — a Python script that bypassed two-factor authentication on a popular open-source web-based system administration tool — was attributed to a "prominent cybercrime group" that GTIG declined to name. Google also withheld the name of the affected tool while coordinating disclosure with the vendor.

The forensic case for AI authorship is the part of the story worth lingering on. GTIG assessed with high confidence that an AI model was used to discover and weaponize the flaw, citing what the report calls "all the hallmarks typically associated with large language model-generated code": a textbook Pythonic structure, an abundance of educational docstrings explaining each step, and — strikingly — a hallucinated CVSS score embedded in a comment, listed against a CVE identifier that did not yet exist. The vulnerability itself was a semantic logic flaw rooted in a hard-coded trust assumption in the target tool's authentication flow — the kind of pattern that pattern-completion systems trained on broad code corpora are unusually well-suited to spot. The exploit required valid user credentials, putting it in the post-credential-theft attack stage rather than fully unauthenticated. GTIG noted, however, no evidence that any specific commercial AI product was used in the operation.

Why it matters: This is the moment the security community has been preparing for, and it has arrived at the lower end of where most threat models placed it: a working zero-day exploit, produced cheaply enough to be discarded in a mass-exploitation campaign, against widely used administrative software. Two structural implications follow. First, the cost curve for novel exploit development has bent, and the volume of usable zero-days will scale with model capability rather than with attacker skill. Second, semantic logic flaws — the category that's hardest for traditional code review and SAST tools to catch — are exactly what current models are best at finding. Defenders should expect the velocity of new exploit chains to increase, particularly against open-source admin tools, and start factoring AI-discovered logic flaws into the prioritization tier of any code audit program.

Read more at The Hacker News

TeamPCP backdoors a Checkmarx Jenkins plugin in its third supply chain attack on the same vendor

On May 9, TeamPCP — the threat group behind the April 22 Checkmarx KICS and Bitwarden CLI compromises we covered two weeks ago — uploaded a backdoored version of Checkmarx's Jenkins Application Security Testing plugin to the official Jenkins Marketplace at plugins.jenkins.io. The malicious release was live for roughly 31 hours before being pulled on May 10. TeamPCP also gained access to the plugin's GitHub repository and renamed it to "Checkmarx-Fully-Hacked-by-TeamPCP-and-Their-Customers-Should-Cancel-Now," with a new description reading "Checkmarx fails to rotate secrets again. with love – TeamPCP" — a public-facing taunt rather than a typical operational signature.

Checkmarx confirmed in its incident update that TeamPCP obtained the credentials used in this attack from the earlier Trivy supply chain compromise in March, meaning the group has been working through Checkmarx's interconnected developer-tooling estate one product at a time. The Jenkins plugin payload behaves as a credential harvester, exfiltrating any secrets visible to the Jenkins runner, including GitHub tokens, AWS/GCP/Azure credentials, Kubernetes configs, SSH keys, and any API keys stored in environment variables. The repositories visible on the compromised release account bear obvious markers — kralizec-navigator-709, tleilaxu-thumper-952, ghola-cogitor-195 — with the description "A Mini Shai-Hulud has Appeared," tying this campaign visually to the broader Shai-Hulud supply chain framework that hit SAP npm packages earlier this month.

Why it matters: The Checkmarx pattern is now a case study in how a single credential breach cascades through an interconnected vendor's product surface over months. Any Jenkins instance that installed the Checkmarx AST plugin during the May 9 – May 10 exposure window should treat all secrets accessible to that runner as exposed and rotate them immediately — GitHub tokens, cloud provider credentials, Kubernetes configs, SSH keys, and anything in environment variables. Checkmarx is advising customers to run version 2.0.13-829.vc72453fa_1c16 (published December 17, 2025) or the newly released 2.0.13-848.v76e89de8a_053. More structurally: if your CI/CD pipeline depends on multiple Checkmarx products, treat the entire estate as potentially compromised until Checkmarx publishes a credential-rotation completion audit.

Read more at The Hacker News

Trellix breach: RansomHouse claims responsibility, alleges far deeper access than source code

On May 7, the RansomHouse ransomware group claimed responsibility for the Trellix source code repository breach we covered last week, listing the company on its data-leak site and dating the initial intrusion to April 17 — roughly two weeks before Trellix's May 2 disclosure. RansomHouse marked the breach status as "Evidence Depends on You," the group's stock language for ongoing negotiations, and published screenshots that — if authentic — show access extending well beyond the source code repository that Trellix had disclosed. Cybernews researchers who reviewed the published material reported that it may indicate access to internal VMware, Rubrik, and Dell EMC systems.

Trellix has not updated its public statement to address the RansomHouse claim. The company's original May 2 disclosure noted that, based on its investigation to date, there was no evidence the stolen code had been exploited or that customer data had been accessed. Whether either of those statements survives contact with the additional material RansomHouse may publish in the coming weeks is now an open question.

Why it matters: Two patterns from this story are worth tracking. First, the initial-disclosure-to-full-scope gap: RansomHouse's claimed timeline puts the intrusion 15 days before Trellix's disclosure, and the scope they're claiming is materially broader than what Trellix described. Whether that's accurate or extortion theater, the gap between initial disclosure and final scope clarity in high-profile breaches is now routinely measured in weeks. Second, attribution to RansomHouse is consistent with a financial-extortion model, not a state-aligned one, which lowers the probability that this material will be weaponized against Trellix-protected environments for intelligence purposes but raises the probability that it will be sold or leaked publicly if Trellix declines to pay. Customers running Trellix products should ask their account teams for an updated risk assessment in light of the claimed scope.

Read more at BleepingComputer

Final thoughts

Three of this week's stories — Canvas, the Palo Alto firewall zero-day, and the AI-developed 2FA bypass — share a common theme: scale that wasn't supposed to be available to attackers. ShinyHunters extracted 275 million records by exploiting one platform that aggregated data from 8,800 schools. A single buffer overflow in internet-facing PAN-OS captive portals put 5,800 firewalls — and the networks behind them — within reach of a single operation. And the AI-developed Python exploit suggests novel zero-day generation is now within the budget of cybercrime groups rather than reserved for state programs.

The TeamPCP and RansomHouse stories complete the picture from the other direction: persistence and patience. TeamPCP is working through Checkmarx's product estate, one credential reuse at a time, three attacks in. RansomHouse's claimed Trellix timeline shows attackers sitting on access for two weeks before public disclosure caught up.

Together, this week's headlines argue that the defender's planning horizon needs to lengthen — assume initial access happened weeks before you'll hear about it, assume disclosed scope will expand, and assume the attackers running today's mass-exploitation campaigns have more leverage than they did a quarter ago. Check back next Tuesday for another roundup.