This week's threat intelligence report highlights a series of significant cyber incidents, from large-scale data breaches affecting educational institutions and retail giants to novel attack vectors exploiting AI assistants. Additionally, critical vulnerabilities in widely used enterprise software demand immediate patching. Below, we break down the key findings from the week of May 11.
Top Attacks and Breaches
Instructure (Canvas) Breach Hits Students and Staff
In a major incident, Instructure, the US education technology company behind the Canvas learning platform, confirmed a data breach affecting its cloud-hosted environment. Exposed data includes student and staff records, as well as private messages. The threat group ShinyHunters escalated the attack by defacing hundreds of school login portals with ransomware-like messages. This incident underscores the growing risks to educational cloud services.
Zara Data Breach via Third-Party Vendor
Zara, the flagship brand of Spanish fashion group Inditex, experienced a data breach linked to a third-party technology provider. Inditex confirmed unauthorized access, and security experts verified that 197,400 unique email addresses, along with order IDs, purchase history, and customer support tickets, were exposed. This breach highlights the cascading risks of vendor ecosystems.
Mediaworks Extortion Attack Exposes 8.5TB of Data
Hungarian media company Mediaworks—which operates dozens of newspapers and online outlets—was hit by a data-theft extortion attack. The company confirmed an intrusion after the cybercriminal group World Leaks posted 8.5 TB of internal files online. The leaked data reportedly includes payroll records, contracts, financial documents, and internal communications.
Škoda Online Shop Compromised
Czech automaker Škoda fell victim to a security incident affecting its online shop. Attackers exploited a software flaw to gain unauthorized access. Exposed customer data may include names, contact details, order history, and login credentials. However, the company stated that passwords and payment card data were not compromised.
AI Threats
Critical WebSocket Hijack in Cline AI Agent
Researchers uncovered a critical WebSocket hijacking vulnerability in Cline's local Kanban server, impacting the widely used open-source AI coding agent. The flaw, rated CVSS 9.7, was patched in version 0.1.66. It allowed any website a developer visited to exfiltrate workspace data and inject arbitrary commands into the AI agent. This demonstrates how AI tools can become a vector for supply-chain attacks.
Claude in Chrome Extension Flaw Enables Agent Hijacking
Security researchers found a flaw in Anthropic's Claude in Chrome extension that allowed other browser extensions to hijack the AI agent. The issue enabled malicious prompts to trigger unauthorized actions and access sensitive browser-connected data. This case shows how AI assistants can expand the browser attack surface.
InstallFix Campaign: Fake Claude Installer via Google Ads
Researchers detailed an InstallFix campaign using fake Claude AI installer pages promoted through Google Ads to infect Windows and macOS users. Victims were tricked into running commands that launched multi-stage malware, stole browser data, disabled protections, and established persistence via scheduled tasks.
Vulnerabilities and Patches
Progress MOVEit Automation: Two Critical Flaws
Progress alerted customers to two critical vulnerabilities in MOVEit Automation managed file transfer software:
- CVE-2026-4670 – a critical authentication bypass allowing unauthorized access.
- CVE-2026-5174 – a privilege escalation flaw.
Fixes are available in versions 2025.1.5, 2025.0.9, and 2024.1.8. Organizations using MOVEit Automation should prioritize patching.
Ivanti EPMM Zero-Day Patched
Ivanti has fixed CVE-2026-6973, a high-severity vulnerability in Endpoint Manager Mobile (EPMM) that was exploited as a zero-day. The flaw affects EPMM 12.8.0.0 and earlier, allowing attackers with administrator permissions to execute remote code. Hundreds of appliances are believed to be affected, and immediate patching is strongly recommended.
For a complete list of this week's threats and indicators of compromise, download the full Threat Intelligence Bulletin.