Cybersecurity Headlines
Cybersecurity Headlines

Instructure's agreement, Shai Hulud campaign, OpenAI's Daybreak

8 min
May 13, 202618 days ago
Listen to Episode
Summary

This episode covers major cybersecurity incidents including Instructure's controversial settlement with Shiny Hunters, the Shai Hulud supply chain attack targeting developer credentials across NPM packages, and OpenAI's new Daybreak cybersecurity initiative. Additional stories include EU surveillance tech exports, Android intrusion logging, encrypted RCS messaging, and attacks on West Pharmaceutical and RubyGems.

Insights
  • Threat actors are increasingly targeting the software supply chain by compromising developer credentials and package repositories, with sophisticated techniques like orphan commits and valid token exploitation making malicious packages appear cryptographically legitimate
  • Ransomware attackers may avoid claiming responsibility when ransom payments are made, making attribution and impact assessment difficult for victims and security researchers
  • Major tech companies are deploying AI-powered security models (OpenAI Daybreak, Anthropic Mythos) for vulnerability detection, signaling a shift toward AI-native security testing despite regulatory concerns
  • Geofencing and environment detection in malware suggests threat actors are avoiding detection in specific regions, likely to evade law enforcement or sandbox analysis
  • Cross-platform encryption standards (RCS E2E) and forensic logging (Android Intrusion Logging) represent vendor moves to address detection gaps in advanced attacks
Trends
Supply chain attacks evolving to exploit valid authentication tokens and package manager infrastructureAI-powered vulnerability scanning becoming standard security practice for major cloud providers and government agenciesMalware implementing geofencing and environment detection to avoid specific jurisdictions and analysis environmentsIncreased focus on forensic logging and detection capabilities for advanced persistent threats on mobile devicesCross-platform encryption standards emerging as vendors address messaging security gapsRansomware attacks on critical infrastructure (pharma) causing extended business disruption with unclear attributionPackage manager security becoming critical attack vector with coordinated malicious package campaignsGovernment-vendor partnerships for AI security model testing and deployment accelerating despite regulatory uncertaintySurveillance technology export regulation enforcement gaps in EU despite 2021 regulationsThreat actor operational security improving with probabilistic wipe commands and selective execution logic
Companies
Instructure
EdTech platform Canvas reached controversial settlement with Shiny Hunters after data breach, claiming stolen data wa...
OpenAI
Launched Daybreak, a new cybersecurity initiative using GPT-5 models to identify vulnerabilities and propose fixes in...
Anthropic
Pentagon deploying Mythos model to detect vulnerabilities across U.S. government systems despite planned product removal
Google
Announced Android Intrusion Logging feature with Amnesty International and launched cross-platform encrypted RCS with...
Apple
Partnered with Google on end-to-end encrypted RCS messaging rollout for iOS 26.5 with default encryption enabled
Microsoft
Reached agreement with U.S. Commerce Department to test AI models for security vulnerabilities before general release
Endor Labs
Security firm highlighted novel attack technique in Shai Hulud campaign using orphan commits in GitHub fork storage
West Pharmaceutical Services
Pharma giant suffered ransomware attack on May 4th causing global business disruption with unclear attribution
RubyGems
Ruby package manager suspended new account signups after major malicious attack impacting hundreds of packages
TAN Stack
NPM project targeted by Shai Hulud campaign with malicious packages using valid OpenID Connect tokens
Minstrel AI
Project affected by Shai Hulud supply chain attack spreading malicious packages across multiple repositories
OpenSearch
Project targeted in Shai Hulud campaign as malicious packages spread beyond initial TAN Stack compromise
UiPath
Automation platform affected by Shai Hulud campaign malicious package distribution
XAI
Reached agreement with U.S. Commerce Department to test AI models for security vulnerabilities before release
Amnesty International
Partnered with Google to develop Android Intrusion Logging feature for forensic investigation capabilities
Human Rights Watch
Obtained EU export records revealing six member countries sold surveillance tech to countries with human rights abuse...
men.io
Company securing RubyGems announced temporary suspension of new account signups due to major malicious attack
People
Rich Straffolino
Podcast host reporting on cybersecurity headlines for the episode
Quotes
"In things that won't come back to bite them later news, Instructure, the company that makes the edtech platform Canvas, said it reached an agreement with the group that breached their systems twice in two weeks, Shiny Hunters."
Rich StraffolinoOpening segment
"Since these used valid tokens, developers saw them as cryptographically authentic."
Rich StraffolinoShai Hulud campaign segment
"The malware implements geofencing logic to prevent execution when Russian language settings are detected, and includes probabilistic recursive wipe commands if the environment appears to be in Israel or Iran."
Rich StraffolinoShai Hulud campaign segment
"No word from the department on why the change was made, if this materially affects any deal, or they just took down the announcement."
Rich StraffolinoCommerce Department segment
"No known ransomware group has claimed responsibility for the attack, which may indicate that a ransom was paid."
Rich StraffolinoWest Pharmaceutical segment
Full Transcript
From the CISO series, it's Cybersecurity Headlines. These are the Cybersecurity Headlines for Wednesday, May 13, 2026. I'm Rich Straffolino. Instructure reaches an agreement with Shiny Hunters. In things that won't come back to bite them later news, Instructure, the company that makes the edtech platform Canvas, said it reached an agreement with the group that breached their systems twice in two weeks, Shiny Hunters. The company said the group provided evidence that the stolen data from its systems was destroyed and received assurance that Canvas customers would not be extorted. No word on any specific financial terms paid by Instructure or what meaningful assurance they could have possibly received. Shiny Hunters removed Instructure from its leak site. Shai Hulud campaign is back. Since its appearance last September, the campaign by Team PCP has undergone several iterations, all focused on supply chain attacks to steal developer credentials. This latest effort saw the group use valid OpenID Connect tokens to publish dozens of malicious packages for TAN stack on NPM before spreading to other projects such as Minstrel AI, OpenSearch, and UiPath. Since these used valid tokens, developers saw them as cryptographically authentic. Endor Labs highlights a novel trick used by the campaign. an orphan commit pushed to a tan-stack fork, making it accessible through GitHub's shared fork object storage. This commit was then referenced in the malicious dependencies. Once infected, the infostealer malware writes itself to VS Code and Cloud Code auto-run hooks, ensuring it persists even after uninstallation. The malware implements geofencing logic to prevent execution when Russian language settings are detected, and includes probabilistic recursive wipe commands if the environment appears to be in Israel or Iran. OpenAI launches Daybreak This new cybersecurity initiative uses OpenAI codec security and several GPT 5 models to create an editable threat model for a repository with an emphasis on real attack paths and high code It will then test vulnerabilities in a sandbox and propose mitigations and full-out fixes. Daybreak isn't generally available yet. On its launch site, users can request a vulnerability scan or contact sales to request access. Like the Mythos rollout, OpenAI says it's working with industry and government partners to get ready to deploy these kinds of cyber-capable models. EU Members Exporting Surveillance Tech According to export records obtained through Freedom of Information requests by Human Rights Watch, six European Union member countries have exported surveillance tech to countries with previous records of human rights abuses. Bulgaria, the Czech Republic, Denmark, Finland, and Poland sold surveillance technologies to over two dozen countries with documented cases of repressing activists and journalists. This may only represent a subset of the countries involved in the practice as France, Germany, Greece, Italy, and Spain declined to share any export data. The data obtained by Human Rights Watch does not specify the names of the companies exporting the tech. The EU introduced regulations in 2021 to heavily regulate the export of surveillance technologies. And now a huge thanks to our sponsor for today, Doppel. Social engineering attacks look trustworthy. A routine request, an internal email, a familiar face on a call. But Doppel sees through the disguise. Their AI-native platform detects and disrupt attacks across every channel while training employees to recognize deepfakes and deception. They fight relentlessly to protect your business, brand, and people. Doppel, outpacing what's next in social engineering. Learn more at doppel.com. That's D-O-P-P-E-L.com. The government giveth and taketh away AI models. Last week the U Commerce Department announced that it reached an agreement with Google XAI and Microsoft to test these models for security vulnerabilities on their systems ahead of their general release However this week the U Commerce Department announced that it reached an agreement with Google XAI and Microsoft to test these models for security vulnerabilities on their systems ahead of their general release However this week the U Commerce Department removed that announcement from its site No word from the department on why the change was made, if this materially affects any deal, or they just took down the announcement. In related news, the Pentagon announced it's deploying Anthropics Mythos model to look for vulnerabilities across the U.S. government. According to DOD Chief still plans to remove Anthropic products from its work in the coming months, but said that Mythos represented a national security moment. Android gets intrusion logging. Google announced a new feature for Android, developed in partnership with Amnesty International, called Intrusion Logging. This is a feature of Android Advanced Protection Mode and is designed to provide logs specifically made for forensic investigations. These logs will record security incidents such as unlocking, physical access to a device, and the installation or removal of spyware. At launch, this is only available on Android 16 and only on Pixel devices. Amnesty International frames this as the first major vendor to proactively address the challenge of detecting advanced attacks on device. Cross-platform end-to-end encrypted RCS arrives on mobile. Apple and Google announced a beta rollout of end-to-end encrypted rich communication services, or RCS, messaging. The rollout implements the GSM Association's RCS Universal Profile 3.0. This will be available on iOS 26.5 and the latest version of Google Messages, although availability still relies on carrier activation. Encrypted messages will show a lock icon in chat. This feature will be enabled by default, with Apple committing to applying encryption to existing RCS threats as well. Up until now, Android and iOS have each had native end-to-end messaging, but this didn't extend cross-platform. West Pharmaceutical still recovering from ransomware According to filings with the U Securities and Exchange Commission the pharma giant West Pharmaceutical Services suffered a ransomware attack on May 4th causing a proactive shutdown and isolation of affected on infrastructure This caused a temporary disruption to the company's business operations globally. As of this recording, core enterprise systems and processes around shipping, receiving, and manufacturing have restarted at some locations, but the company does not yet have a complete timeline for a full restore. No known ransomware group has claimed responsibility for the attack, which may indicate that a ransom was paid. It's unclear what data was stolen and how many people might have been impacted. RubyGems suspends account signups. The standard package manager for Ruby, creatively named RubyGems, announced it's dealing with a major malicious attack. This has impacted hundreds of packages, although those are mostly targeting RubyGems itself, but some carry active exploits. As a result, it temporarily suspended new account signups. No word on who is behind the attack. The company securing RubyGems, men.io, said it will release more details once it contains the attack. Remember to register for this week's Super Cyber Friday event, Hacking the Cloud Security Playbook. We'll be spending an hour digging into what's changed in cloud security in the age of AI development, what principles are holding fast, and what needs to adapt to the shifting landscape. Head on over to our events page to register. And if you share the event on LinkedIn, you'll have a chance to win some CISO Series swag live on the show. We do it right up front. You'll know if you're a winner. See you there. And if you have some thoughts about the news from today or about the show in general, be sure to reach out to us. Feedback at CISOseries.com. We'd love to hear from you. Reporting for the CISO Series, I'm Rich Drafaleno, reminding you to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to CISOseries.com for the full stories behind the headlines.