Summary5 min read

Cybersecurity Headlines – May 13, 2026

Host: Rich Stroffelino, CISO Series
Episode Theme:
A daily briefing covering the latest global developments in cybersecurity, with stories focused on breaches, cyber campaigns, AI in security, surveillance exports, and new security features from major tech companies.

Major Stories & Key Insights

1. Instructure’s Agreement with Shiny Hunters

[00:06 – 01:23]

Incident: Instructure, the company behind the Canvas edtech platform, suffered two data breaches in rapid succession by the hacking group Shiny Hunters.
Resolution: Instructure claims to have reached an “agreement” with Shiny Hunters. The group reportedly provided evidence that stolen data was destroyed and promised not to extort Canvas customers.
Uncertainties: There were no disclosures regarding whether Instructure paid anything or the specifics “of what meaningful assurance they could have possibly received.”
- Quote: “No word on any specific financial terms paid by Instructure or what meaningful assurance they could have possibly received.” – Rich Stroffelino [00:28]
Shiny Hunters removed Instructure from its leak site, suggesting a deal was reached, though its efficacy and ethics are left open to skepticism.

2. The Shai Hulud Campaign Returns: Sophisticated Supply Chain Attacks

[01:24 – 02:16]

Background: The Shai Hulud campaign by Team PCP, targeting developer credentials via supply chain attacks, has resurfaced—now using advanced methods.
Technical Approach:
- Attackers leveraged valid OpenID Connect tokens to publish dozens of malicious packages for Tanstack on NPM, later expanding to Minstrel, AI, OpenSearch, and UiPath.
- Innovation: “These used valid tokens, developers saw them as cryptographically authentic.”
- Novel Trick: Endor Labs identified the use of an “orphan commit pushed to a Tanstack fork” leveraging GitHub’s shared fork object storage, later referenced in malicious dependencies.
- The malware implemented persistence via VS Code and Claude code autorun hooks and included geofencing (avoiding Russian locale, aggressive wipes in Israel/Iran).
Quote: "Endor Labs highlights a novel trick used... making it accessible through GitHub's shared fork object storage." – [01:53]

3. OpenAI’s Daybreak Launches for Cybersecurity

[02:17 – 02:49]

Overview: OpenAI introduced “Daybreak,” combining Codex Security and GPU CT 5.5 models to deliver editable threat models for software repositories.
Features:
- Focuses on real-world attack paths and high-impact code vulnerabilities.
- Automatically tests vulnerabilities in a safe sandbox and proposes mitigation or full fixes.
- Initial availability is limited; users can request scans or contact sales for access.
- OpenAI is partnering with industry and government for broader deployment.
Quote: “OpenAI says it's working with industry and government partners to get ready to deploy these kinds of cyber capable models.” [02:47]

4. EU Members Caught Exporting Surveillance Tech

[02:50 – 03:35]

Findings by Human Rights Watch: Six EU states (Bulgaria, Czech Republic, Denmark, Finland, Poland) sold surveillance technologies to two dozen+ countries with abuse records.
Lack of Transparency: Some large members (France, Germany, Greece, Italy, Spain) did not disclose export data.
Regulation: Exports are supposed to be regulated since 2021, but enforcement and reporting gaps persist.
Note: The data set doesn’t specify companies, and the true scale could be wider.

5. US Government’s Changing Approach to AI Model Vetting

[03:50 – 04:28]

Initial Step: US Commerce Department reached an agreement with Google, XAI, and Microsoft for vulnerability testing of AI models before public release.
Reversal: The announcement was removed without explanation—unclear whether the policy or just the press release was withdrawn.
Defense Sector: Pentagon is using Anthropic’s Mythos for vulnerability hunting, even as it plans to stop Anthropic product use.
- Quote: “Mythos represented a national security moment.” – Citing DoD CTO Emil Michael [04:20]

6. Android Introduces ‘Intrusion Logging’ Feature

[04:29 – 04:56]

Partnership: Google worked with Amnesty International to develop “Intrusion Logging” for Android Advanced Protection Mode.
Functionality:
- Forensic logs record physical security incidents and spyware installs/removals.
- Initial rollout on Android 16/Pixel devices; hailed as the first major device-level proactive forensic tool.
Quote: “The first major vendor to proactively address the challenge of detecting advanced attacks on device cross-platform.” [04:53]

7. Cross-Platform End-to-End Encrypted RCS Messaging

[04:57 – 05:30]

Announcement: Apple & Google beta launch end-to-end encrypted RCS (Rich Communication Services) messages, using Universal Profile 3.0.
Implications:
- Available on iOS 26.5 and latest Google Messages; carrier activation required.
- Messages will show a lock icon, enabled by default.
- Apple commits to upgrading existing RCS threads with encryption.
- Ends gap between iOS/Android secure messaging.
Insight: “This feature will be enabled by default, with Apple committing to applying encryption to existing RCS threads as well.” [05:19]

8. Ransomware Attack on West Pharmaceutical Services

[05:31 – 05:53]

Details: Ransomware hit led to shutdown/isolation of on-premises infrastructure.
Impact: Temporary disruption; core shipping, receiving, manufacturing restarting, but full operations not restored.
Mystery: No group has claimed responsibility—possible ransom payment. Data impact unknown.

9. RubyGems Suspends Account Creation Amid Attack

[05:54 – 06:15]

Event: RubyGems, Ruby’s package manager, faces a major attack impacting hundreds of packages (mostly targeting RubyGems itself, but some with active exploits).
Action: New account signups are suspended as Men IO works to contain the threat.
To Come: More details will be shared once resolved.

Notable Quotes & Moments

On Instructure’s assurance:
“No word on any specific financial terms paid by Instructure or what meaningful assurance they could have possibly received.” – Rich Stroffelino [00:28]
On Shai Hulud attack sophistication:
"Endor Labs highlights a novel trick used by the an orphan commit pushed to a Tanstack fork, making it accessible through GitHub's shared fork object storage." [01:53]
On OpenAI’s Daybreak partnership:
"OpenAI says it's working with industry and government partners to get ready to deploy these kinds of cyber capable models." [02:47]
On the Pentagon’s paradox:
"The Pentagon still plans to remove Anthropic products from its work in the coming months, but said that Mythos represented a national security moment." [04:20]

Additional Segments

Looking ahead:
- Weekly event (Super Cyber Friday): Hacking the Cloud Security Playbook in the age of AI.
- Call for feedback at feedbackisoseries.com.

Summary Table of Key Segments and Timestamps

| Topic | Timestamp | |-------------------------------------------------|--------------| | Instructure & Shiny Hunters Agreement | 00:06–01:23 | | Shai Hulud Campaign Update | 01:24–02:16 | | OpenAI Daybreak Cybersecurity Initiative | 02:17–02:49 | | EU Surveillance Exports | 02:50–03:35 | | US AI Model Testing Announcement Removed | 03:50–04:28 | | DoD Deploys Anthropic Mythos | 04:20 | | Android ‘Intrusion Logging’ | 04:29–04:56 | | Cross-Platform Encrypted RCS Messaging | 04:57–05:30 | | West Pharmaceutical Ransomware | 05:31–05:53 | | RubyGems Malicious Attack | 05:54–06:15 |

Tone & Style:
Reportage is fast-paced, dryly humorous, and slightly skeptical—especially about questionable or opaque industry practices. Stroffelino delivers crisp summaries, direct attributions, and moments of pointed commentary.

This episode provides a dense, insightful overview of major threats, evolving defenses (especially AI-driven), and regulatory challenges—ideal for security professionals and anyone tracking developments in cybersecurity.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series. It's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Wednesday, May 13, 2026 I'm Rich Stroffelino Instructure reaches an agreement with Shiny Hunters in things that won't come back to bite them later news Instructure, the company that makes the edtech platform Canvas, said it reached an agreement with the group that breached their systems twice in two weeks. Shiny Hunters, the company said the group provided evidence that the stolen data from its systems was destroyed and received assurance that Canvas customers would not be extorted. No word on any specific financial terms paid by Instructure or what meaningful assurance they could have possibly received. Shiny Hunters removed Instructure from its leak site. Shai Hulud Campaign is back since its appearance last September, the campaign by Team PCP has undergone several iterations, all focused on supply chain attacks to steal developer credentials. This latest effort saw the group use valid OpenID Connect tokens to publish dozens of malicious packages for Tanstack on NPM before spreading to other projects such as Minstrel, AI, OpenSearch and UiPath. Since these used valid tokens, developers saw them as cryptographically authentic. Endor Labs highlights a novel trick used by the an orphan commit pushed to a Tanstack fork, making it accessible through GitHub's shared fork object storage. This commit was then referenced in the malicious dependencies. Once infected, the InfoStealer malware writes itself to VS code and Claude code autorun hooks, ensuring it persists even after uninstallation. The malware implements geofencing logic to prevent execution when Russian language settings are detected, and includes probabilistic recursive wipe commands. If the environment appears to be in Israel or Iran, OpenAI launches Daybreak. This new cybersecurity initiative uses OpenAI's Codex Security and several GPU CT 5.5 models to create an editable threat model for a repository with an emphasis on real world attack paths and high impact code. It will then test vulnerabilities in a sandbox and propose mitigations and full out fixes. Daybreak isn't generally available yet. On its launch site, users can request a vulnerability scan or contact sales to request access. Like the mythos rollout, OpenAI says it's working with industry and government partners to get ready to deploy these kinds of cyber capable models. EU members exporting surveillance tech According to export records obtained through Freedom of Information requests by Human Rights Watch, 6 European Union member countries have exported surveillance tech to countries with previous records of Human Rights abuses. Bulgaria, the Czech Republic, Denmark, Finland and Poland sold surveillance technologies to over two dozen countries with documented cases of repressing activists and journalists. This may only represent a subset of the countries involved in the practice, as France, Germany, Germany, Greece, Italy and Spain declined to share any export data. The data obtained by Human Rights Watch does not specify the names of the companies exporting the tech. The EU introduced regulations in 2021 to heavily regulate the export of surveillance technologies and now a huge thanks to our sponsor for today, Doppel Social Engineering Attacks look trustworthy A routine request, an internal email, A familiar face on a call. But Doppel sees through the disguise and their AI native platform detects and disrupt attacks across every channel while training employees to recognize deepfakes and deception. They fight relentlessly to protect your business, brand and people. Doppl outpacing what's next in social engineering? Learn more at doppel.com that'S-O-P-P-E-L.com the government giveth and taketh away AI models Last week, the U.S. commerce Department announced that it reached an agreement with Google, XAI and Microsoft to test these models for security vulnerabilities on their systems ahead of their general release. However, this week, the U.S. commerce Department removed that announcement from its site. No word from the department on why the change was made. If this materially affects any deal or they just took down the announcement. In related news, the Pentagon announced it's deploying Anthropic's mythos model to look for vulnerabilities across the US government. According to DoD Chief Technology Officer Emil Michael, the Pentagon still plans to remove Anthropic products from its work in the coming months, but said that Mythos represented a national security moment. Android gets Intrusion Logging Google announced a new feature for Android developed in partnership with Amnesty International called Intrusion Logging. This is a feature of Android Advanced Protection Mode and is designed to provide logs specifically made for forensic investigations. These logs will record security incidents such as unlocking physical access to a device and the installation or removal of spyware. At launch, this is only available on Android 16 and only on Pixel devices. Amnesty International frames this as the first major vendor to proactively address the challenge of detecting advanced attacks on device cross platform. End to End Encrypted RCS arrives on mobile Apple and Google announced a beta rollout of end to end encrypted rich communication services or RCS messaging. The rollout implements the GSM Association's RCS Universal Profile 3.0. This will be available on iOS 26.5 and the latest version of Google Messages, although availability still relies on carrier activation. Encrypted messages will show a lock icon in chat. This feature will be enabled by default, with Apple committing to applying encryption to existing RCS threats as well. Up until Now, Android and iOS have each had native end to end messaging, but this didn't extend Cross Platform West Pharmaceutical Still Recovering from Ransomware According to filings with the U.S. securities and Exchange Commission, the pharma giant West Pharmaceutical Services suffered a ransomware attack on May 4, causing a proactive shutdown and isolation of affected on premise infrastructure. This caused a temporary disruption to the company's business operations globally. As of this recording, core enterprise systems and processes around shipping, receiving and manufacturing have restarted at some locations, but but the company does not yet have a complete timeline for a full restore. No known ransomware group has claimed responsibility for the attack, which may indicate that a ransom was paid. It's unclear what data was stolen and how many people might have been impacted. RubyGems suspends account signups the standard package manager for Ruby, creatively named RubyGems, announced it's dealing with a major malicious attack. This has impacted hundreds of packages, although those are mostly targeting RubyGems itself itself, but some carry active exploits. As a result, it temporarily suspended new account signups. No word on who is behind the attack. The company securing RubyGems men IO said it will release more details once it contains the attack. Remember to register for this week's Super Cyber Friday event Hacking the Cloud Security Playbook we'll be spending an hour digging into what's changed in cloud security in the age of AI development, what principles are holding fast and what needs to adapt to to the shifting landscape. Head on over to our Events page to register and if you share the event on LinkedIn, you'll have a chance to win some CISO series. Swag live on the show. We do it right up front. You'll know if you're a winner. See you there. And if you have some thoughts about the news from today or about the show in general, be sure to reach out to us. Feedbackisoseries.com we'd love to hear from you. Reporting for the CISO series, I'm Rich Stroffeliano, reminding you to have a super sparkly day.
[07:36]
A
Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines.