Weekly Cyber Threat Landscape: Major Breaches, AI Vulnerabilities, and Critical Patches (May 11)
Top Attacks and Breaches
This week has seen a series of high-impact security incidents affecting organizations across education, retail, media, and automotive sectors. Below are the key breaches that have come to light.
Instructure (Canvas) Data Breach
The U.S. education technology firm Instructure, known for its widely used Canvas learning management platform, has confirmed a significant data breach in its cloud-hosted environment. Exposed records include student and staff personally identifiable information as well as private messages. The attack escalated when the threat actor group ShinyHunters defaced hundreds of school login portals with ransom demands, adding extortion to the data theft.
Zara/Inditex Third-Party Breach
Zara, flagship brand of the Spanish fashion conglomerate Inditex, suffered a data breach tied to a third-party technology provider. Inditex acknowledged unauthorized access, and security experts confirmed that 197,400 unique email addresses, order IDs, purchase histories, and customer support tickets were exposed. While payment information was not compromised, the leaked data poses significant privacy and phishing risks.
Mediaworks Extortion Attack
Hungarian media conglomerate Mediaworks, which operates dozens of newspapers and online outlets, fell victim to a data-theft extortion attack. The company confirmed an intrusion after the group World Leaks posted 8.5 terabytes of internal files online. Exposed data reportedly includes payroll records, contracts, financial documents, and internal communications, indicating a comprehensive compromise of the organization’s network.
Škoda Online Shop Compromise
Czech automaker Škoda has confirmed a security incident affecting its official online shop. Attackers exploited a software vulnerability to gain unauthorized access to the e-commerce platform. Exposed customer data may include names, contact details, order history, and login credentials. However, the company stated that passwords and payment card data were not affected in this incident.
Emerging AI Threats
New research has revealed critical vulnerabilities in popular AI tools and campaigns targeting AI users. These findings underscore the growing attack surface introduced by AI assistants and coding agents.
Critical WebSocket Hijacking in Cline AI Agent
Security researchers uncovered a WebSocket hijacking vulnerability in Cline’s local Kanban server, affecting the widely used open-source AI coding agent. With a CVSS score of 9.7 (Critical), the flaw allowed any website visited by a developer to exfiltrate workspace data and inject arbitrary commands into the AI agent. The issue has been patched in version 0.1.66.
Claude Chrome Extension Hijack Vector
A flaw in Anthropic’s Claude in Chrome extension enabled other browser extensions to hijack the AI agent. This vulnerability allowed malicious prompts to trigger unauthorized actions and access sensitive browser-connected data. The discovery highlights how AI assistants can extend browser attack surfaces, making them prime targets for cross-extension exploitation.
InstallFix Campaign: Fake Claude AI Installers
Researchers detailed an InstallFix campaign that used fake Claude AI installer pages promoted through Google Ads. Victims were tricked into running commands that launched multi-stage malware on both Windows and macOS systems. The payload stole browser data, disabled security protections, and established persistence through scheduled tasks, demonstrating the effectiveness of malvertising targeting AI tools.
Critical Vulnerabilities and Patches
Organizations are urged to prioritize patching two serious flaws discovered in widely used enterprise software this week.
Progress MOVEit Automation Vulnerabilities
Progress Software has alerted customers to two vulnerabilities in its MOVEit Automation managed file transfer solution:
- CVE-2026-4670 – A critical authentication bypass that allows unauthorized access.
- CVE-2026-5174 – A privilege escalation flaw that could lead to full system compromise.
Fixes are available in versions 2025.1.5, 2025.0.9, and 2024.1.8. Immediate patching is recommended.
Ivanti Endpoint Manager Mobile Zero-Day
Ivanti has fixed CVE-2026-6973, a high-severity vulnerability in Endpoint Manager Mobile (EPMM) that was exploited as a zero-day. The flaw affects EPMM version 12.8.0.0 and earlier and allows attackers with administrator-level permissions to execute remote code. Hundreds of appliances remain at risk if not updated to the latest patch.
For the latest discoveries in cyber research, download our full Threat Intelligence Bulletin.