Apple and Google have taken a big step toward securing cross-platform texting, ending years of messages bouncing around in glorified plaintext. Apple announced this week that encrypted Rich Communication Services (RCS) messaging is rolling out in beta for iPhone users running iOS 26.5 and Android users on the latest version of Google Messages. The feature works across supported carriers and adds end-to-end encryption to cross-platform chats that were still taking the scenic route through carrier-era messaging infrastructure. Users will know it's enabled when a lock icon appears in RCS conversations. Apple says E2EE RCS messages cannot be read while traveling between devices, bringing Android-to-iPhone chats closer to the protections offered by WhatsApp and Signal. The move lands as other platforms head in the opposite direction. Earlier this month, Meta confirmed it was backing away from parts of its encryption rollout for Instagram DMs, telling The Register that "very few" people actually used the feature and suggesting privacy-minded users head over to WhatsApp instead. Apple, meanwhile, appears content to lean harder into the privacy angle, finally plugging one of the more obvious holes in modern messaging security. That gap has been hanging around for years. While iMessage chats between Apple devices were already encrypted, conversations involving Android phones could fall back to SMS or unencrypted RCS, depending on carrier support. Google had offered encrypted RCS chats inside Google Messages for years, but only when both sides used Google's ecosystem. Apple joining the party means cross-platform RCS encryption is finally starting to span the two largest mobile ecosystems. The rollout is still marked as beta, and carrier support varies by region, so not everyone will get encrypted chats immediately. UK availability remains unclear for now, as none of the major UK networks currently appear on Apple's published compatibility lists for the feature. Still, after two decades of the mobile industry insisting that interoperability and security could not coexist, cross-platform texting may finally be catching up with the rest of modern messaging. ®

Over 400 malicious versions of 170 packages were published as part of the new Mini Shai-Hulud campaign.

The post TanStack, Mistral AI, UiPath Hit in Fresh Supply Chain Attack appeared first on SecurityWeek.

Pressure is mounting on Instructure, the company behind Canvas, as cybercriminals threaten to leak a trove of sensitive data they claim was stolen during a prolonged cyberattack on the widely used education tech platform.

Widespread outages left schools, students and teachers temporarily unable to access critical data late last week after the company took Canvas offline following additional malicious activity, including a defacement of the platform’s login page. By Friday, the company said Canvas — a central hub for K-12 and university coursework, exams, grades and communication — was back online and fully operational. 

ShinyHunters, a decentralized crew of prolific cybercriminals affiliated with The Com, claimed responsibility for the attack on its data leak site and is attempting to extort the company for an unknown ransom amount. Instructure hasn’t confirmed the existence of a ransom demand and declined to answer questions about its response.

The threat group initially set a deadline of May 6 — four days after Instructure previously said the incident was contained soon after it disclosed the attack — claiming it stole 3.65 terabytes of data spanning 275 million records across 8,809 school systems. 

When that deadline passed without payment, ShinyHunters escalated its pressure on the company by “injecting an extortion message directly into the Canvas login pages of roughly 330 institutions, and pivoted to school-by-school extortion with a current deadline of May 12,” Cynthia Kaiser, senior vice president of Halcyon’s Ransomware Research Center, told CyberScoop.

“The scope makes this one of the largest single education-sector exposures we’ve tracked,” she added.

The additional public pressure prompted Infrastructure to take Canvas offline, disrupting schoolwork and access to critical systems nationwide. 

Instructure CEO Steve Daly apologized over the weekend for the company’s inconsistent communication and deficient public response to the cyberattack. 

“Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn’t get answered. You deserved more consistent communication from us, and we didn’t deliver it. I’m sorry for that,” he said in a statement.

Daly acknowledged that the attack, which remains under investigation aided by CrowdStrike, exposed usernames, email addresses, course names, enrollment information and messages. He insisted that course content, submissions and credentials were not compromised.

The temporary but widespread disruption caused has spurred broad concern across the education sector as ransomware experts and threat hunters continue to track developments. The cyberattack also caught the attention of lawmakers on Capitol Hill. 

The House Homeland Security Committee on Monday published a letter to Daly seeking a briefing with him or a senior leader at Instructure by May 21. 

“The recurrence of an intrusion within days of an initial breach disclosure, and Instructure’s apparent failure to fully remediate the underlying vulnerabilities during that window, raise serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds,” House Homeland Security Chairman Andrew Garbarino, R-N.Y., wrote in the letter to Daly.

The committee wants to learn more about the “circumstances of both intrusions, the the nature and volume of data accessed, the steps Instructure has taken and is taking to contain the threat and notify affected institutions, and the adequacy of the company’s coordination with federal law enforcement and the Cybersecurity and Infrastructure Security Agency,” he added. 

CISA did not describe the extent of its involvement in Instructure’s response. “CISA is aware of a potential cyber incident affecting Canvas. As the nation’s cyber defense agency, we provide voluntary support and cybersecurity services to organizations in responding to and recovering from incidents,” Chris Butera, the agency’s acting executive assistant director for cybersecurity, said in a statement.

Instructure’s timeline of the attack has changed and remains incomplete. The company said it first detected unauthorized activity in Canvas on April 29 and immediately revoked the attacker’s access and initiated an incident response. Researchers not directly involved with the formal investigation said ShinyHunters gained access to Canvas at least a few days earlier.

The follow-on malicious activity on May 7 — the defacement of public login pages — was tied to the same incident, the company said. 

“We have since confirmed that the unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts. This is the same issue that led to the unauthorized access the prior week. As a result, we have made the difficult decision to temporarily shut down Free-For-Teacher accounts,” the company said in an updated post about the incident.

Instructure did not answer questions about the vulnerability or explain how attackers intruded its systems. The company said it also revoked privileged credentials and access tokens for affected systems, rotated internal keys, restricted token creation pathways, and deployed additional security controls and monitoring.

Canvas is fully operational and safe to use, the company said, adding that CrowdStrike has reviewed known indicators of compromise and “found no evidence that the threat actor currently has access to the platform.”

Access still remains spotty and unavailable for some Canvas users as school districts restore the platform in phases after conducting their own internal checks.

Halcyon published an alert about the attack Friday, including a screenshot of the message that some school staff, guardians and students encountered before Instructure took the learning management system offline.

ShinyHunters threatened Instructure and all affected schools to contact the threat group and reach a resolution by end of day Tuesday. The cybercrime group, which has a “known pattern of removing victim entries once communications and negotiations have started,” removed Instructure from its data leak site after it defaced the Canvas login pages, Halcyon said. 

ShinyHunters is a notorious data theft extortion group that previously hit major cloud platforms, including Salesforce and Snowflake, via voice phishing, credential theft and supply-chain attacks. 

“Historically, their claims of compromise typically hold up, but they often exaggerate the impact, scale, and type of data stolen,” Kaiser said.

Education is a recurring and consistent target for cybercriminals. Researchers at Halcyon tracked more than 250 ransomware attacks on education institutions globally last year. Yet, the attack on Canvas stands apart from most of these attacks because of its widespread use and downstream impact.

“This is student, parent, and staff data, including minors, which creates downstream phishing and impersonation risk that will outlast the immediate incident,” Kaiser said. 

“By compromising a shared platform used across thousands of schools, ShinyHunters hit the entire education sector in one move, which is the same playbook Clop ran against Oracle EBS customers last fall,” she added. “Among 2026 incidents against critical infrastructure, this is at or near the top for education-sector impact, and it highlights a trend of third-party software vendors now being part of an attack surface, and causing cascading effects across an entire sector.”

Cybersecurity professionals focused on ransomware and data theft extortion consistently encourage victims to not pay ransoms, but they also often acknowledge that companies have to make tough decisions based on their own interests and the security of their customers or users caught up in the aftermath.

Allison Nixon, chief research officer at Unit 221B, said the threat group claiming responsibility for the attack should not be trusted. 

“They are claiming they will delete the data after they are paid, and if they are not paid that they will leak the data,” she told CyberScoop. “This is in line with the past data extortion scams run by the same and related Com actors, who have made false statements to victims and to the public in the past.”

Instructure hasn’t indicated what it plans to do as part of any effort to prevent the leak of stolen data. 

Daly — a longtime security executive who was previously CEO at Ivanti — ended his mea culpa with a pledge to improve communications and provide a summary of a forensics report soon.

“Last week, we made a call to get the facts right before speaking publicly. That instinct isn’t wrong, but we got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates. You’ve been clear about that, and it’s fair feedback. We will change that moving forward,” he said. 

“Rebuilding trust takes time,” Daly added. “We’re going to earn it back through consistent action and honest communication.”

The post Pressure mounts on Canvas as data leak extortion deadline looms appeared first on CyberScoop.

Google researchers found a zero-day exploit developed by artificial intelligence and alerted the susceptible vendor to the imminent threat before a well-known cybercrime group initiated a mass-exploitation campaign, the company said in a report released Monday.

The averted disaster probably isn’t the first time attackers used AI to build a zero-day, but it is the first time Google Threat Intelligence Group found compelling evidence that this long-predicted and worrying escalation in vulnerability-exploit development is underway.

“We finally uncovered some evidence this is happening,” John Hultquist, chief analyst at GTIG, told CyberScoop. “This is probably the tip of the iceberg and it’s certainly not going to be the last.”

Google declined to identify the specific vulnerability, which has been patched, or name the “popular open-source, web-based administration tool” it affected. It did, however, note that the defect impacted a Python script that allows attackers to bypass two-factor authentication for the service.

Researchers also withheld details about how they discovered the zero-day exploit or the cybercrime group that was preparing to use it for a large-scale attack spree.

The threat group has a “strong record of high-profile incidents and mass exploitation,” Hultquist said, suggesting the attackers are prominent and well-known among cybersecurity practitioners. 

GTIG is fairly confident the threat group was using AI in a meaningful way throughout the entire process, but it has yet to determine if the technology also discovered the vulnerability it ultimately developed into an exploit.

Whichever AI model the attackers used — Google is confident it wasn’t Gemini or Anthropic’s Mythos — left artifacts throughout the exploit code that are inconsistent with human developers. This evidence, which included documentation strings in Python, highly annotated code and a hallucinated but non-existent CVSS score, tipped Google off to the fact AI was heavily involved, Hultquist said. 

GTIG has been warning about and expecting AI-developed exploits to hit systems in the wild, especially after its Big Sleep AI agent found a zero-day vulnerability in late 2024.

“I think the watershed moment was two years ago when we proved this was possible,” Hultquist said, adding that there are probably several other AI developed zero-days in play now. 

Yet, to him, the discovery of a zero-day exploit developed by AI is less concerning than what this single instance forebodes even further.

“The game’s already begun and we expect the capability trajectory is pretty sharp,” Hultquist said. “We do expect that this will be a much bigger problem, that there will be more devastating zero-day attacks done over this, especially as capabilities grow.”

The post Google spotted an AI-developed zero-day before attackers could use it appeared first on CyberScoop.

The average cyberattack costs for a small- or medium-size business is more than $250,000. The salary for a chief information security officer (CISO) is about the same, pulling in between $250,000 and $400,000, according to the annual 2026 CISO Report from Sophos and Cybersecurity Ventures. Small- and medium-size businesses (SMBs) know they cannot afford the salary, so they roll the dice, hoping they will not be attacked. This is a dangerous gamble that these businesses, which make up the backbone of the American economy, should not have to take. A virtual (vCISO) or fractional CISO (fCISO) can provide a practical solution.

As the American economy goes digital, SMBs now rely on the same building blocks as big enterprises — cloud services, payment systems, remote access, customer data, and other third-party vendors.  But without senior cyber leadership, cybersecurity often becomes a patchwork of tools, checklists, insurance paperwork, and whatever guidance a vendor offers. That may get these companies through a questionnaire; it will not build real resilience. Nearly half, all reported cyber incidents, which is projected to cost the global economy $12.2 trillion annually by 2031, involve smaller firms.

The threat is growing in both size and sophistication. Adversaries are deploying AI to automate reconnaissance, develop malware, and run phishing campaigns at scale.  This reduces the cost and skill needed to target smaller firms at volume. Adversaries are also collecting encrypted data with the intent to decrypt it later when they have access to large enough quantum computers. SMBs in defense, healthcare, and financial supply chains often hold sensitive credentials that provide access into larger enterprise environments, but most are not prepared to adopt quantum-resistant encryption.

SMBs generally understand they face cyber risk. The real gap is leadership: someone who can turn technical vulnerabilities into business decisions, set priorities, brief executives, prepare for audits, and hold vendors accountable. For more SMBs, hiring a full-time CISO is financially unrealistic.

A Virtual CISO provides remote, on-demand cybersecurity leadership and advice, typically supporting several organizations at the same time. A fractional CISO is a dedicated, part-time executive who is more deeply integrated into one organization’s governance, security planning, and day-to-day operations. Both models give smaller organizations access to senior-level cybersecurity expertise in a flexible, more affordable way than hiring a full-time CISO.

Washington should make it easier for SMBs to hire fractional cybersecurity leaders, because the private market is not closing this gap on its own. The Cybersecurity and Infrastructure Security Agency (CISA) and the Small Business Administration (SBA) could help by publishing buyer guidance: vetted criteria for evaluating providers, example scopes of work and deliverables, and real-world case studies that show SMB owners what a high-quality vCISO or fCISO engagement should look like.

Clear guidance matters because many smaller firms cannot easily tell the difference between true cybersecurity leadership and a tool reseller, compliance-only consultant, or a generic managed services contract. Any vetted provider criteria should emphasize proven experience building and running security programs, independence from vendor incentives and product quotas, and the ability to tie security investment to real business risk, not just a list of certifications. Model scopes of work should also spell out the basics every engagement should deliver: an initial risk assessment, a prioritized remediation roadmap, and simple metrics that show whether security is improving over time. Without clear buyer criteria, federal efforts could end up funding low-quality services that add cost and paperwork without making companies safer.

The National Institute for Standards and Technology (NIST) should recognize these CISO models in its SMB-focused Cybersecurity Framework guidance. That would help smaller firms turn the framework’s Govern, Identify, Protect, Detect, Respond, and Recover functions into a clear, accountable leadership structure. This would make these roles less abstract: the point is not merely providing advice, but taking executive-level ownership of risk priorities, vendor oversight, incident readiness, and communication with the owner or board.

Congress and the Treasury Department should consider targeted tax incentives or credits for qualified cybersecurity leadership services, tied to measurable risk-reduction outcomes. Eligible activities could include completing a risk assessment, building a incident response plan, conducting vendor security reviews, running employee training, and producing a remediation roadmap. SMBs often defer cybersecurity because every dollar competes with payroll, inventory, and growth. A targeted incentive would make security leadership easier to justify as a business investment rather than an optional add-on.

Federal acquisition officials should require contractors that handle sensitive government data to show it has executive-level cybersecurity oversight, whether it is full-time, virtual, or fractional, and should extend that expectation down to relevant subcontractors and suppliers. This is necessary because SMBs serve as entry points into defense, healthcare, financial, and critical infrastructure supply chains.

Finally, CISA and the SBA should support vCISO- and fractional-CISO-led workforce training. Employees improve security when training comes with leadership, regular reinforcement, and clear accountability, not just annual awareness training. The aim is not to turn every SMB into a Fortune 500 security shop. It should be to give smaller firms access to the leadership they need before the next incident forces the issue.

Georgianna Shea, who is a Doctor of Computer Science, is chief technologist at the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation and its Transformative Cyber Innovation Lab, where Cason Smith served as a summer 2025 intern. Cason is studying integrated information technology at the University of South Carolina.

The post The missing cybersecurity leader in small business appeared first on CyberScoop.

cURL creator Daniel Stenberg says Anthropic's hyped Mythos bug-hunting model found only one confirmed low-severity vulnerability in cURL, plus a few non-security bugs, after he expected a much longer list. He argues Mythos may be useful, but not meaningfully beyond other modern AI code-analysis tools. "My personal conclusion can however not end up with anything else than that the big hype around this model so far was primarily marketing," Stenberg said a blog post. "I see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos." He went on to call Mythos "an amazingly successful marketing stunt for sure." The Register reports: Stenberg explained in a Monday blog post that he was promised access to Anthropic's Mythos model - sort of - through the AI biz's Project Glasswing program. Part of Glasswing involves giving high-profile open source projects access via the Linux Foundation, but while Stenberg signed up to try Mythos, he said he never actually received direct access to the model. Instead, someone else with access ran Mythos against curl's codebase and later sent him a report. "It's not that I would have a lot of time to explore lots of different prompts and doing deep dive adventures anyway," Stenberg explained. "Getting the tool to generate a first proper scan and analysis would be great, whoever did it." That scan, which analyzed curl's git repository at a recent master-branch commit, was sent back to him earlier this month, and it found just five things that it claimed were "confirmed security vulnerabilities" in cURL. Saying he had expected an extensive list of vulnerabilities, Stenberg wrote that the report "felt like nothing," and that feeling was further validated by a review of Mythos' findings. "Once my curl security team fellows and I had poked on this short list for a number of hours and dug into the details, we had trimmed the list down and were left with one confirmed vulnerability," Stenberg said, bringing us back to the aforementioned number. As for the other four, three turned out to be false positives that pointed out cURL shortcomings already noted in API documentation, while the team deemed the fourth to be just a simple bug. "The single confirmed vulnerability is going to end up a severity low CVE planned to get published in sync with our pending next curl release 8.21.0 in late June," the cURL meister noted. "The flaw is not going to make anyone grasp for breath."

Read more of this story at Slashdot.

The breach is limited to GeForce NOW users in just one country, and no passwords were stolen.

A maintainer wants a first-aid kit for the Linux kernel and a proposal is currently being reviewed.

Its popularity may have been faked, though, as the "likes" all came from auto-generated accounts.

Palantir and other external contractors will receive "unlimited access" to identifiable patient data.

Between May 6 and 7, it was dangerous to install JDownloader from alternative links on the site.

Checkmarx warned over the weekend that a rogue version of its Jenkins Application Security Testing (AST) plugin had been published on the Jenkins Marketplace. [...]

A security researcher has released a proof-of-concept tool named GhostLock that demonstrates how a legitimate Windows file API can be abused in attacks to block access to files stored locally or on SMB network shares. [...]

Education technology giant Instructure has confirmed that a security vulnerability allowed hackers to modify Canvas login portals and leave an extortion message. [...]

Resetting a password doesn't always remove attackers from Active Directory. Specops Software explains how cached credentials and Kerberos tickets can keep attackers authenticated after a reset. [...]

Researchers at Google Threat Intelligence Group (GTIG) say that a zero-day exploit targeting a popular open-source web administration tool was likely generated using AI. [...]

This upcoming webinar explores how organizations need to combine security, backups, and recovery planning to reduce the impact of modern cyberattacks. [...]

A new variant of the TrickMo Android banking malware, delivered in campaigns targeting users across Europe, introduces new commands and uses The Open Network (TON) for stealthy command-and-control communications. [...]

Japan’s prime minister Sanae Takaichi has ordered a review of government cybersecurity strategy, citing the arrival of Anthropic’s bug-hunting model Mythos as a moment that makes it necessary to order a cabinet-level project. In a Tuesday cabinet meeting, the PM instructed cybersecurity minister Hisashi Matsumoto to devise measures to check the state of government systems to determine whether it’s possible to detect and fix vulnerabilities, and to develop a plan to ensure critical infrastructure operators can do likewise. Japan’s leader ordered the checks because she feels Mythos and similar frontier models may be misused, and that attacks on infrastructure may therefore increase in speed and scale – perhaps even exponentially. Over the last couple of years cybersecurity vendors and researchers have often pointed out that AI models make it possible to find flaws and automate attacks. When Anthropic debuted Mythos in early April, the notion that AI has the potential to vastly complicate the security landscape went mainstream. Many regulators around the world have issued guidance to point out that now is the perfect time to revisit and improve security strategies and capabilities, because Mythos and other AI models mean defenses are going to be tested like never before. India’s securities regulator went a step further by ordering a security review at the organizations it oversees. And now Japan’s leader has decided the matter is of sufficient importance that her office needs to weigh in and set new policy to ensure AI doesn’t go on a destructive rampage through Japanese infrastructure. Whether Takaichi’s urgency is needed is open to debate. Some researchers have said that while Mythos can find bugs at speed, but doesn’t find flaws humans can’t detect with their naked brains. Others suggest Mythos is not vastly better at finding bugs than open source models that pre-date it and are publicly available – unlike Mythos which is restricted to certain users. Others have all but dismissed Mythos as a marketing stunt. ® .

Ed-tech giant Instructure confirmed two rounds of unauthorized activity affecting its online learning platform Canvas within two weeks as data-theft-and-extortion crew ShinyHunters threatened to leak data it claims belongs to more than 275 million students, teachers, and staff tied to nearly 9,000 schools worldwide. In a security incident update, Instructure apologized for the disruption when Canvas went offline last Thursday, leaving thousands of colleges, universities, and K-12 schools without access to course materials, grades, and due dates during final exams and Advanced Placement testing for many. As of Saturday, the parent company claimed, “Canvas is fully back online and available for use.” And it finally broke its silence on Monday about what happened, admitting not one but two intrusions after criminals exploited a security vulnerability in its Free-for-Teacher learning system, and saying the data thieves stole information including usernames, email addresses, course names, enrollment information, and messages. “Core learning data (course content, submissions, credentials) was not compromised,” the Monday disclosure said. “We're still validating all findings, but we want to be clear about what we understand was and wasn't affected.” On April 29, the online education firm “detected unauthorized activity in Canvas,” immediately revoked the intruder’s access, and initiated a probe into the breach, according to Instructure’s notice posted on its website. On May 7, the company “identified additional unauthorized activity tied to the same incident.” ShinyHunters defaced about 330 Canvas school login portals, also exploiting the same Free-for-Teacher vulnerability, and that caused the ed-tech firm to take Canvas offline and “into maintenance mode to contain the activity.” ShinyHunters claims it stole 3.65 TB of data, including about 275 million records from about 8,800 schools including Harvard, Columbia, Rutgers, Georgetown, and Stanford universities. After moving the pay-or-leak deadline multiple times, ShinyHunters set a final deadline of end-of-day May 12 for individual institutions to contact them directly to negotiate payment - or the group will publish the full dataset. In response, Instructure said it temporarily shut down its Free-for-Teacher accounts. It also revoked privileged credentials and access tokens tied to compromised systems, rotated internal keys, restricted token creation pathways, and added monitoring across all platforms. The education platform hired CrowdStrike to assist with its forensic analysis and incident response, and said it also notified the FBI - which published its own alert on social media - and the US Cybersecurity and Infrastructure Security Agency. This is Instructure’s second breach in less than a year. ShinyHunters claimed to have breached Instructure's Salesforce environment in September 2025, and while Instructure didn’t name the crew in its latest disclosure, it did address the intrusion. “The prior Salesforce-related incident and this Canvas security incident are distinct events involving different systems and circumstances,” the company said. ® UPDATED AT 01:10 UTC MAY 12 Instructure At 10:21 UTC on May 11, Instructure updated its incident report to state "All Canvas environments are available." The company also admitted it "reached an agreement with the unauthorized actor involved in this incident" and secured stolen data." "We received digital confirmation of data destruction (shred logs)," the company said, adding "We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise." Further: "This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor." The statement makes it hard not to conclude that Instructure took the controversial decision to pay a ransom. "While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible," the statement adds. There is no honor among thieves.