Cybersecurity Headlines — Episode Summary

Podcast: Cybersecurity Headlines
Host: Sarah Lane (CISO Series)
Episode Title: Instructure discloses breach, DigiCert revokes certificates, Silver Fox targets Indian and Russian orgs
Date: May 5, 2026

Episode Overview

In this episode, Sarah Lane delivers the day’s essential cybersecurity news, focusing on major breaches and threats impacting organizations globally. Highlights include the Instructure data breach, DigiCert’s revocation of certificates following a malware incident, a new China-linked APT campaign, rising cyber-enabled cargo theft, and several other notable attacks and research findings. The reporting is brisk, authoritative, and geared toward security professionals who need quick, accurate updates.

Key Stories and Discussion Points

1. Instructure Data Breach Amid Leak Threats

[00:08 – 01:07]

Incident: Education software provider Instructure suffered a cyberattack affecting its Canvas platform.
Impacted Data: Attackers accessed names, email addresses, student IDs, and user messages. No passwords or financial data were reported stolen.
Response & Mitigation:
- Instructure rotated API keys, revoked credentials, and engaged forensic experts.
- The issue was reportedly contained.
Threat Actor Claim: The Shiny Hunters group took responsibility, claiming theft of 3.65 terabytes affecting up to 275 million users across almost 9,000 institutions.

Quote [00:14]:
“Attackers accessed names, email addresses, student IDs and user messages, though the company says passwords and financial data weren't involved.” – Sarah Lane

2. DigiCert Certificate Breach

[01:08 – 01:56]

Attack Method: Malware delivered via a customer support chat led to compromise of internal systems.
Impact:
- Attackers exploited support portal access to steal Extended Validation (EV) code signing certificates.
- Some stolen certificates were used to sign malware.
- Approximately 60 certificates were revoked; affected orders canceled.
Company Response:
- Incident contained, no broader system compromise found.
- Enhanced controls: Multi-factor authentication, restricted portal/file upload access.
Quote [01:18]:
“The attackers exploited access to initialization codes and approved orders to generate certificates. Some were used to sign malware…” – Sarah Lane

3. Silver Fox APT Targets India & Russia

[01:57 – 02:36]

Actors Involved: Silver Fox, a China-linked Advanced Persistent Threat (APT) group.
Tactic: Phishing campaigns using tax-themed emails.
Payloads Delivered:
- New malware “ABC Door Backdoor”
- Existing “Valley Rat” malware
Target: Over 1,600 malicious messages observed targeting Indian and Russian organizations via spoofed government notices and malicious attachments.
Objective: Gaining access and establishing persistence with stealthy remote controls.

Quote [02:12]: “Researchers at Kaspersky observed more than 1,600 malicious messages…using spoofed government notices and malicious archives to gain access and establish persistence with stealthy remote controls.” – Sarah Lane

4. Surge in Cyber-Enabled Cargo Theft

[02:37 – 03:20]

FBI Warning: Rising phishing and credential theft aimed at logistics firms, resulting in hijacked shipments.
Tactics:
- Impersonation of brokers/carriers
- Posting fraudulent load listings
- Rerouting and reselling stolen goods
Financial Impact: Estimated $725 million in losses (2025, US & Canada).
Attribution: Linked to organized crime by Proofpoint researchers.

Quote [02:44]: “Criminals infiltrate broker and carrier systems, post fraudulent load listings, reroute deliveries and then resell stolen goods.” – Sarah Lane

5. World Leaks Ransomware Hits Hungarian Mediaworks

[03:28 – 04:01]

Ransomware Group: World Leaks, a rebrand of Hunters International.
Breach Detail: 8.5 terabytes of data leaked, including payroll, contracts, and internal communications.
Potential Political Implications: Leak may contain sensitive editorial discussions related to Russia.
Response: Mediaworks confirmed the breach and started an investigation.

6. “Venomous Helper” Phishing Uses Legitimate RMM Tools

[04:09 – 04:41]

Campaign: “Venomous Helper” targets over 80 US organizations.
Method:
- Spoofed Social Security Administration emails
- Delivery of legitimate remote management tools (Simple Help, Screen Connect) for unauthorized access
Effect: Enables attackers to maintain persistent, stealthy access and move laterally.

7. PyTorch Lightning Supply Chain Attack

[04:42 – 05:08]

Incident: Malicious PyTorch Lightning package on PyPI with an obfuscated JavaScript payload (Shy worm).
Impact:
- Stole credentials, files, tokens, and enabled arbitrary command execution.
- Limited spread; package rolled back to v2.6.1.
Advice: Affected users urged to “rotate all secrets.”

8. UK Online Safety Act — Age Checks Ineffective

[05:09 – 05:37]

Findings: Research by Internet Matters shows:
- 46% of children find age checks easy to bypass (fake birthdays, borrowed IDs, disguises).
- 32% have bypassed controls; 17% of parents assisted.
- Nearly half still encounter harmful content despite regulations.
Quote [05:12]: “Research from Internet Matters finds the UK's new online safety act age checks are largely ineffective, with 46% of children polled saying they're easy to bypass…” – Sarah Lane

Notable Quotes & Memorable Moments

On Shiny Hunters’ bold claim:

“The Shiny Hunters group claims responsibility, alleging it stole 3.65 terabytes of data tied to as many as 275 million users across nearly 9,000 institutions.” [00:29]
On the sophistication of phishing attacks:

“Silver Fox launched a phishing campaign targeting organizations in India and Russia using tax-themed emails to deliver malware…” [01:58]
On AI productivity vs. risk:

“Almost all LLMs will confidently produce seemingly high quality output. But are we setting ourselves up for failure when we mistake confidence for accuracy?” [06:01] (Tease for related episode)

Timestamps — Quick Reference

Instructure breach: 00:08 – 01:07
DigiCert certificate theft: 01:08 – 01:56
Silver Fox APT: 01:57 – 02:36
Cyber cargo theft: 02:37 – 03:20
World Leaks ransomware: 03:28 – 04:01
RMM tool phishing: 04:09 – 04:41
PyTorch Lightning supply chain: 04:42 – 05:08
UK Online Safety Act research: 05:09 – 05:37

Final Thoughts

Sarah Lane wraps the show with a focus on news you can use: from critical breach responses and evolving cybercrime tactics to the limitations of current regulatory approaches. The episode delivers actionable insights, notable threat actor activity, and underlines the growing sophistication and scope of cyber threats across sectors.

For further details and a deeper dive on any headline, listeners are encouraged to visit CISOseries.com.

Transcript

A (0:00)

From the CISO series. It's Cybersecurity Headlines

B (0:07)

these are the cybersecurity headlines for Tuesday, May 5, 2026. I'm Sarah Lane. Instructure discloses breach amid leak threats Education software provider Instructure disclosed a cyber attack that disrupted services tied to API keys and led to a data breach affecting its Canvas platform. Attackers accessed names, email addresses, student IDs and user messages, though the company says passwords and financial data weren't involved. Instructure says its rotated keys, revoked credentials and contained the situation with outside forensic support. The Shiny Hunters group claims responsibility, alleging it stole 3.65 terabytes of data tied to as many as 275 million users across nearly 9,000 institutions. DigiCert revokes Certificates Digicert disclosed a malware attack delivered via a customer support chat, infecting internal systems and pivoting into its support portal to obtain EV code signing certificates. The attackers exploited access to initialization codes and approved orders to generate certificates. Some were used to sign malware, prompting the company to revoke about 60 certificates and cancel affected orders. Digicert says it contained the incident, found no broader system compromise and has since tightened controls like MFA and restricting support portal access and file uploads. Silver Fox Targets Indian and Russian orgs China Linked Advanced Persistent Threat, or APT Group Silver Fox launched a phishing campaign targeting organizations in India and Russia using tax themes emails to deliver malware, including the newly identified ABC Door Backdoor and the already known Valley Rat. Researchers at Kaspersky observed more than 1600 malicious messages with attacks using spoofed government notices and malicious archives to gain access and establish persistence with stealthy remote controls. New wave of Cargo Theft the FBI is warning cyber enabled cargo theft is increasing with phishing fake websites and compromised accounts impersonating logistics firms to hijack shipments. Criminals infiltrate broker and carrier systems, post fraudulent load listings, reroute deliveries and then resell stolen goods. Losses in the US and Canada reached around $725 million in 2025, alongside rising incident severity. Researchers at Proofpoint link the activity to organized crime. Huge thanks to our sponsor, Vanta, risk and regulation are ramp up and customers expect proof of security just to do business. Vanta's automation brings compliance, risk and customer trust together on one AI powered platform. So whether you're prepping for a SoC2 or running an enterprise GRC program, Vanta keeps you secure and keeps your deals moving. Learn more@vanta.com CISO World Leaks claims breach of Hungarian firm Ransomware Group World Leaks says it breached Hungary's media works leaking about 8.5 terabytes of allegedly sensitive data, including payroll records, contracts and internal communications. Media Works confirmed the incident and launched an investigation with warning that using the stolen data could be illegal. While independent outlets reported the leak may include politically sensitive editorial discussions tied to Russia. The group is known as a rebrand of Hunters International and focuses on data theft and extortion. Simple Help and Screen Connect Go Fish. A phishing campaign dubbed Venomous Helper has has targeted more than 80 organizations, mostly in the US using spoofed Social Security Administration emails to trick victims into installing legitimate RMM tools like Simple Help and Screen Connect. Researchers at Securinex say attackers use these tools to establish persistent, stealthy remote access with redundant control channels allowing file transfers, command execution and undetected lateral movement. Pytorch Lightning drops Credential Stealer A malicious version of Pytorch Lightning on Pypi executed a hidden supply chain attack that ran an obfuscated JavaScript payload after import. The payload was identified by Microsoft as Shy worm and steals credentials from browsers, files, files, tokens and cloud services, along with arbitrary command execution. The impact seems limited, but the package has been rolled Back to version 2.6.1. Affected users are urged to rotate all secrets Shocking News Kids can circumvent age checks Research from Internet Matters finds the UK's new online safety act age checks are largely ineffective, with 46% of children polled saying they're easy to bypass, using tactics like fake birthdays, a borrowed ID, or even disguises like a mustache. The survey of more than 1,000 families also shows 32% of kids have bypassed controls 17% of parents admit helping do so. Despite the new rules, 49% of children still report encountering harmful content. Early research is showing that AI provides clear productivity gains, but the ROI is harder to pinpoint. Almost all LLMs will confidently produce seemingly high quality output. But are we setting ourselves up for failure when we mistake confidence for accuracy? That is what we're digging into on the latest episode of the CISO series podcast. Look for the episode AI Confidence. It's a trap wherever you get your podcasts. And if you have thoughts on the news from today or about our show in general, be sure to reach out to us feedbackisoseries.com we'd love to hear from you. I'm Sarah Lane reporting for the CISO series. Stay safe out there and we'll talk to you tomorrow.