Weekly Cyber Threat Digest: May 11th Edition
Introduction
This week's threat intelligence roundup covers significant data breaches, emerging AI security risks, and critical vulnerabilities that demand immediate attention. From educational platforms to retail giants, attackers continue to exploit weaknesses in both human and technical defenses. Below is a detailed breakdown of the most notable incidents and patches from the week of May 11th.
Top Attacks and Breaches
Canvas Platform Attack Exposes Student and Staff Data
The US education technology company Instructure, which operates the widely used Canvas learning management system, has confirmed a major data breach in its cloud-hosted environment. The incident exposed sensitive records including student and staff information along with private messages. The threat actor group known as ShinyHunters escalated the attack by defacing hundreds of school login portals with ransom demands, adding a layer of extortion to the data theft.
Zara Data Breach Linked to Third-Party Vendor
Zara, the flagship brand of Spanish fashion conglomerate Inditex, suffered a data breach connected to a third-party technology provider. Inditex acknowledged unauthorized access, and security experts verified that approximately 197,400 unique email addresses, order identifiers, purchase histories, and customer support tickets were compromised. The breach underscores the risks of supply chain dependencies in retail.
Hungarian Media Giant Mediaworks Hit by Extortion Attack
Mediaworks, a major Hungarian media company operating dozens of newspapers and online outlets, fell victim to a data-theft extortion attack. The company confirmed an intrusion after the leak site World Leaks published 8.5 terabytes of internal files online. Exposed data reportedly includes payroll records, contracts, financial documents, and internal communications, signaling a severe operational and reputational blow.
Skoda Online Shop Compromised via Software Flaw
Czech automaker Škoda experienced a security incident affecting its online store after attackers exploited a software vulnerability to gain unauthorized access. Exposed customer data may include names, contact details, order history, and login credentials. However, the company stated that passwords and payment card information were not affected, limiting the potential for financial fraud.
AI Threats
Critical WebSocket Hijacking Found in Cline's Kanban Server
Researchers have uncovered a critical WebSocket hijacking vulnerability in Cline's local Kanban server, an open-source AI coding agent widely used by developers. The flaw, rated CVSS 9.7, allowed any website a developer visited to exfiltrate workspace data and inject arbitrary commands into the AI agent. It has been patched in version 0.1.66, making immediate updates essential.
Anthropic's Claude Extension Hijackable by Other Extensions
A security flaw in Anthropic’s Claude in Chrome extension enabled other browser extensions to hijack the AI agent. The issue allowed malicious prompts to trigger unauthorized actions and access sensitive browser-connected data. This demonstrates how AI assistants can extend the browser attack surface, posing new risks for users who rely on them for productivity.
Fake Claude Installer Campaign Delivers Malware
An InstallFix campaign used fake Claude AI installer pages promoted through Google Ads to infect Windows and macOS users. Victims were tricked into running commands that launched multi-stage malware. The malware stole browser data, disabled security protections, and established persistence through scheduled tasks, highlighting the danger of AI-themed social engineering.
Vulnerabilities and Patches
Progress Patches Critical MOVEit Automation Flaws
Progress has alerted customers to two serious vulnerabilities: CVE-2026-4670, a critical authentication bypass in MOVEit Automation managed file transfer software allowing unauthorized access, and CVE-2026-5174, a privilege escalation flaw. Fixes are available in versions 2025.1.5, 2025.0.9, and 2024.1.8. Organizations using MOVEit Automation should prioritize patching to prevent exploitation.
Ivanti Fixes Zero-Day EPMM Vulnerability
Ivanti has addressed CVE-2026-6973, a high-severity Endpoint Manager Mobile vulnerability that was exploited as a zero-day. The flaw affects EPMM version 12.8.0.0 and earlier, allowing attackers with administrator permissions to run remote code. Hundreds of appliances may be at risk, making immediate patching crucial for mobile device management environments.
Related Articles
- Python Developers Gain New GUI Skills: Build a Calculator with Tkinter
- Four Hidden Pitfalls That Sink High-Performing Teams
- Two Overlooked Tax Rules Could Cost New Retirees Thousands: Urgent Warning
- The Hidden Cost of Training Your Own LLM: A Real-World Breakdown
- 10 Essential IT Fundamentals You Must Know: From Hardware to Docker
- New Python Memory Management Quiz Puts Developers to the Test
- Java ByteBuffer to Byte Array Conversion: A Step-by-Step Guide
- Young Innovators Win $10,000 OpenAI Prizes for Creative AI Solutions