Coverage: Last 24 hours

Today’s Highlights

Critical supply-chain attacks, AI-driven exploits, and persistent threat exposure highlight the shifting risk landscape for defenders this cycle. Several headline breaches, spanning SAP platform vulnerabilities to cascading npm/PyPI compromises, demonstrate both heightened attacker automation and the urgent need for security teams to rethink controls across cloud, identity, and CI/CD pipelines. Below are prioritized operational insights and guidance.

Table of Contents

1. SAP fixes critical vulnerabilities in Commerce Cloud and S/4HANA
2. Instructure reaches ‘agreement’ with ShinyHunters to stop data leak
3. GM agrees to $12.75M California settlement over sale of drivers’ data
4. Official CheckMarx Jenkins package compromised with infostealer
5. New GhostLock tool abuses Windows API to block file access
6. Instructure confirms hackers used Canvas flaw to deface portals
7. Why Changing Passwords Doesn’t End an Active Directory Breach
8. Google: Hackers used AI to develop zero-day exploit for web admin tool
9. Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak

Top Stories

SAP fixes critical vulnerabilities in Commerce Cloud and S/4HANA

Source: BleepingComputer | Risk: High | Impacted: SAP Commerce Cloud admins, S/4HANA deployments, Enterprises relying on SAP for core business functions

Summary: SAP released its May 12, 2026 security updates, patching two critical vulnerabilities: one in Commerce Cloud (CVE‑2026‑34263) allowing unauthenticated code execution due to improper authentication, and one in S/4HANA (CVE‑2026‑34260) enabling low‑privileged SQL injection attacks. Additional fixes address one high‑severity and eleven medium‑severity issues. No evidence of in‑the‑wild exploitation was found.

Why it matters: SAP internet-facing environments could be subject to privilege escalation or remote code execution if these flaws are exploited, risking business interruption and exposure of sensitive data.

Practitioner Perspective

Organizations running SAP Commerce Cloud and S/4HANA are directly threatened by the newly addressed CVE-2026-34263 and CVE-2026-34260, which allow unauthenticated code execution and SQL injection by low-privileged users. Even though there’s no current evidence of active exploitation, the exploitability of these flaws means that post-patch window attacks are very likely. Timely patching here isn’t optional: exploit code and scanning often follow SAP advisories closely. Validate that all SAP instances, including non-production and shadow environments, receive these patches quickly. The priority should be on minimizing the window between release and deployment for business-critical SAP services.

Recommended Actions

• Deploy SAP patches for CVE-2026-34263 (Commerce Cloud) and CVE-2026-34260 (S/4HANA) to all impacted systems immediately
• Validate patch levels across all internet-facing and internal SAP instances

Instructure reaches ‘agreement’ with ShinyHunters to stop data leak

Source: BleepingComputer | Risk: High | Impacted: Educational institutions using Canvas LMS, Students and staff with Canvas accounts, Organizations sharing data with Instructure

Summary: Instructure, the company behind Canvas, confirmed it has reached an agreement with the ShinyHunters hacking group, which included returning the stolen 3.6 TB of data and providing logs confirming its destruction. The company said no customers will be personally extorted and that normal monitoring of Canvas environments should continue. It continues investigating the incident.

Why it matters: Negotiating over stolen datasets may stall leaks short-term but does not address the underlying risk of massive third-party data exposure, especially for regulated or high-trust SaaS platforms.

Practitioner Perspective

Any organization using Canvas or connected to the Instructure data ecosystem should factor this incident into its data residency and incident response planning. While the agreement may prevent widespread publication of stolen records, there’s no cryptographic guarantee of total data destruction after extortion negotiations. Defenders should treat the dataset as potentially compromised and anticipate privacy risk. Proactive monitoring for downstream use of exposed records, such as phishing or social engineering, is necessary, and incident simulations should assume the possibility of re-extortion or partial leak persists. Focus now should be on containment, notification, and preparing for credential resets or ID theft assistance if required.

Recommended Actions

• Monitor for suspicious activity targeting Canvas user credentials post-incident
• Review data sharing agreements with Instructure and update breach notification playbooks

GM agrees to $12.75M California settlement over sale of drivers’ data

Source: BleepingComputer | Risk: Medium | Impacted: Automotive OEMs and service providers, IoT data brokers, Enterprise privacy and compliance teams

Summary: General Motors has agreed to a $12.75 million settlement with California authorities over allegations that between 2020 and 2024 it collected and sold drivers’ location and driving behavior data via its OnStar “Smart Driver” program without consent. The deal requires GM to pay the civil penalty, stop selling such data for five years, delete retained data within 180 days unless consent is given, ask brokers to remove the data, and implement stronger privacy controls.

Why it matters: Unregulated data aggregation and sale from connected vehicles generates regulatory liability and reputational damage, with increased exposure if privacy controls are not proactively strengthened.

Practitioner Perspective

Automotive OEMs and any business aggregating large-scale IoT data, especially those with consumer location, telematics, or behavioral telemetry, should reexamine their lawful basis for data collection, retention, and broker sharing practices. The GM settlement highlights wildcard exposure when data usage policy, actual practice, and regulatory expectation are misaligned. Scrutiny of automotive data flows will only intensify, with significant risk for organizations not using explicit user consent and retrievable deletion guarantees. Security teams need to pressure-test data inventory, policy enforcement, and customer opt-out mechanics. Priority: treat sensitive telemetry and location data as high-risk assets with lifecycle controls equal to regulated PII.

Recommended Actions

• Audit OnStar Smart Driver and similar vehicle data collection programs for user consent status
• Purge retained telematics datasets lacking current user consent within the new 180-day mandate

Official CheckMarx Jenkins package compromised with infostealer

Source: BleepingComputer | Risk: High | Impacted: Jenkins environments running Checkmarx plugins, Software development teams leveraging AST workflows, Cloud platforms integrating via Jenkins pipelines

Summary: A malicious version of the Checkmarx Jenkins AST plugin (version 2026.5.09) was published on the Jenkins Marketplace by the TeamPCP group, using credentials stolen in the earlier Trivy breach. The compromised plugin contained infostealer malware, prompting users to assume credential compromise, rotate secrets, and investigate for lateral movement.

Why it matters: Malicious core plugins distributed via trusted Jenkins Marketplace channels enable attackers to harvest credentials and move laterally in CI/CD environments where Jenkins secrets bridge internal networks and cloud services.

Practitioner Perspective

If you installed or upgraded the Checkmarx AST plugin for Jenkins since the referenced compromise (version 2026.5.09), operate under the presumption of secret theft and initial foothold. The TeamPCP group’s use of stolen Trivy credentials demonstrates attackers’ coordination and re-use of access across security and DevOps ecosystems. All secrets managed by Jenkins, particularly those used for Checkmarx, should be rotated, and audit trails from the time of plugin use should be reviewed for unusual pipeline behavior. Security teams must also evaluate their reliance on third-party marketplace plugins where provenance checks alone can’t guarantee safety. The central risk is undetected lateral or cloud escalation from buried CI/CD malware.

Recommended Actions

• Identify installations of Checkmarx Jenkins AST plugin 2026.5.09 and immediately uninstall or revert to clean versions
• Rotate all Jenkins-managed credentials and tokens used by Checkmarx integrations

New GhostLock tool abuses Windows API to block file access

Source: BleepingComputer | Risk: Medium | Impacted: Windows file server administrators, IT support teams managing SMB shares, Business units relying on high-availability file access

Summary: A researcher released GhostLock, a proof‑of‑concept tool that exploits the Windows CreateFileW API and its dwShareMode parameter to exclusively lock files, locally or over SMB, causing access failures without encryption. The tool runs without elevated privileges and access is restored once sessions end or systems reboot.

Why it matters: Non-privileged API misuse can facilitate targeted file and share denial of service, disrupting business operations or data recovery processes even without traditional malware deployment.

Practitioner Perspective

IT and security teams supporting Windows infrastructure must recognize that the GhostLock proof of concept leverages legitimate file sharing semantics to create disruptive, hard-to-trace outages. Exploit tools that weaponize dwShareMode can be used by insiders or malware to selectively lock mission-critical files, locally and over SMB, without requiring admin rights or deploying ransomware. This new attack surface bypasses many classic endpoint controls and can outpace current alerting. Defensive focus should be on monitoring anomalous file handle locking, especially on shares critical to business or DR procedures. A rapid incident response protocol for share denial and session management is prudent.

Recommended Actions

• Monitor for abnormal file and share locking patterns using Windows CreateFileW with exclusive dwShareMode
• Identify and review any non-privileged sessions exhibiting persistent file locks outside normal usage

Instructure confirms hackers used Canvas flaw to deface portals

Source: BleepingComputer | Risk: Medium | Impacted: Canvas LMS administrators, Educational institutions with public SaaS portals, Users of Canvas Free-for-Teacher environments

Summary: Instructure confirmed that attackers exploited multiple cross‑site scripting vulnerabilities in Canvas, particularly within its Free‑for‑Teacher environment, to hijack admin sessions and modify login portals with an extortion message demanding ransom by May 12. No additional data was compromised during the defacement, and Canvas was taken offline and then restored by May 9.

Why it matters: Attackers can achieve unauthorized administrative actions across widely deployed SaaS portals when persistent XSS flaws go unpatched, enabling ransom and reputational events without breaking into underlying infrastructure.

Practitioner Perspective

Education-sector security staff with Canvas exposure must treat cross-site scripting as a business continuity risk, not just a nuisance. This incident proves attackers will exploit XSS on public teacher portals for admin session hijack and ransom-style threats, disrupting both login flows and trust in the underlying platform. Blind spots in SaaS patching mean even non-core environments (like Free-for-Teacher infrastructure) can become the locus of high-visibility extortion. Revisit patch hygiene, session scopes, and admin tool segregation for all exposed SaaS, the risk is not data exfiltration but platform defacement and loss of operational integrity.

Recommended Actions

• Validate patch status of all public-facing Canvas environments, with focus on XSS mitigation
• Review admin session scopes and implement renewal or re-auth policies for privileged sessions

Why Changing Passwords Doesn’t End an Active Directory Breach

Source: BleepingComputer | Risk: High | Impacted: Active Directory administrators, Hybrid Entra ID tenants, Organizations recovering from directory compromise

Summary: The article explains that simply changing a password during an Active Directory or hybrid Entra ID breach isn’t sufficient to fully cut off attackers. Cached credentials, valid Kerberos tickets, service account exposures, forged tickets (e.g., Golden or Silver Tickets), and lingering ACL-based privileges can all allow attackers to maintain or regain access despite password resets. Complete remediation requires terminating sessions, purging tickets, rotating service account credentials, resetting the KRBTGT account twice, and auditing directory permissions.

Why it matters: Persisting AD tokens, cached credentials, and forged tickets can allow attackers to maintain domain control even if passwords are changed, causing defenders to underestimate overall exposure.

Practitioner Perspective

Active Directory and Entra ID administrators must recognize that resetting user passwords in response to compromise is ineffective when attackers hold Kerberos tickets, golden tickets, or have changed ACLs. Short-term mitigations often leave session and service account artifacts untouched, giving adversaries time for privilege escalation or reconsolidation. A complete recovery cycle demands session purging, service account credential rotation, and importantly, resetting the KRBTGT account to invalidate existing tickets. If these deeper corrective actions are omitted, expect attacker persistence and potential repeated breaches. The single most important step is full session and key turnover after a suspected directory breach.

Recommended Actions

• Purge all cached Kerberos tickets and invalidate existing access tokens after a breach
• Reset the AD KRBTGT account twice to break golden/silver ticket persistence

Emerging Signals

Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak

Source: The Hacker News | Risk: High | Impacted: SaaS providers managing user data, Education sector data privacy teams, End users of Canvas or similar platforms

Summary: Instructure, the parent company of Canvas, said it has reached an agreement with the hacker group ShinyHunters, who had stolen about 3.65 TB of Canvas data, to prevent the leak of that information.

Why it matters: Settling with extortion groups to prevent mass data leak may incentivize future attacks and leaves organizations exposed to reputational and compliance fallout if stolen records later resurface.

Practitioner Perspective

Any sector handling high-volume user or student data, especially SaaS providers like Instructure, should not treat negotiated settlements as final resolution. Attackers have a proven track record of breaking data erasure promises, and secondary extortion risks linger for months or years. Organizations subject to this type of negotiated breach need to prepare for recurring disclosure, phishing, and possibly regulatory action. Focus now should be on layered contingency planning: assume the data may eventually leak and communicate openly with affected users about risks and remediation options.

Recommended Actions

• Activate long-term monitoring and user notification plans for possible resurfacing of leaked Instructure datasets
• Coordinate with legal/compliance for breach notification and regulatory engagement if new exposures occur

Exploits & CVEs

Google: Hackers used AI to develop zero-day exploit for web admin tool

Source: BleepingComputer | Risk: High | Impacted: Admins of open-source web admin tools, IT teams managing web application infrastructure, Organizations relying on default authentication flows

Summary: Google’s security team intercepted a zero‑day exploit, likely generated by AI, targeting a popular open‑source web administration tool that bypassed two‑factor authentication. Although the tool’s name remains undisclosed, Google identified AI‑like characteristics in the exploit’s Python code, such as explanatory docstrings and hallucinated severity scores, and disrupted the attack before it could be widely used.

Why it matters: The emergence of AI-generated exploits rapidly accelerates the timeline for zero-day weaponization against popular open-source infrastructure, eroding defenders’ ability to rely on traditional patch and detection cycles.

Practitioner Perspective

Organizations running or maintaining web admin tooling must anticipate a reduced dwell time between vulnerability discovery and exploitation, as attackers use AI to rapidly shape new attack paths. Google’s identification of AI-augmented code in this zero-day demonstrates that security controls, especially those reliant on signature-based anomaly detection or static code review, are at risk of obsolescence if not updated to detect machine-generated logic. Continuous review of authentication flows, particularly MFA bypass, is mandatory for open-source infrastructure maintainers. The main priority is staying proactive on threat intelligence and not privileging legacy security models over real-world exploit automation.

Recommended Actions

• Review all MFA mechanisms in use for open-source admin tools and check for MFA bypass exposures
• Monitor for exploit attempts leveraging AI-generated payloads, especially in Python-based tools

Defensive Actions

• Immediately rotate all secrets and tokens exposed to compromised TanStack and Mistral npm packages
• Audit all npm, PyPI, and Composer package dependencies for inadvertent inclusion of infected versions
• Hunt for unauthorized GitHub Actions or OIDC workflow modifications linked to the affected packages
• Block all package versions implicated in Shai Hulud supply-chain incidents in artifact repositories
• Monitor for anomalous credential usage in cloud provider and developer SSO logs
• Review and harden SAP authentication and privilege boundaries, focusing on custom integrations
• Require password resets and session invalidation for Canvas users if credentials are reused elsewhere
• Rotate all Jenkins-managed credentials and tokens used by Checkmarx integrations
• Prepare response protocols for terminating disruptive SMB sessions
• Reset the AD KRBTGT account twice to break golden/silver ticket persistence

What We’re Watching

• Increasing automation and sophistication in software supply-chain attacks targeting npm, PyPI, Composer, and AI/ML libraries.
• Risk from negotiated breach settlements and their impact on user privacy and regulatory posture.
• Rapid reduction in the window from vulnerability disclosure to broad exploit availability through AI-powered development.
• Reassessment of data privacy controls in automotive IoT and telematics amid tightening regulations.
• Growing realization that legacy response steps such as password resets are inadequate for modern identity and session attack persistence.

Categories: Cybersecurity Blog, Cybersecurity News

Tags: Active Directory, Canvas, Cloud Security, cybersecurity, Data Privacy, GM, Malware, SAP, Supply Chain, Vulnerability, Zero-Day