Here are today’s top cybersecurity stories for Monday, May 11, 2026.
ShinyHunters Claims Second Instructure Canvas Breach — May 12 Leak Deadline Looming
Hours after Instructure declared the Canvas LMS incident resolved on May 8, ShinyHunters claimed a second successful breach through the same Free-For-Teacher account vulnerability. The group is demanding ransom and threatening to release 3.65 terabytes of data — roughly 275 million records spanning 8,809 institutions worldwide — if payment is not received by May 12. Canadian universities, colleges, and K-12 boards using Canvas are included in the affected population. Dark Reading
Cushman & Wakefield: ShinyHunters Leaks 50GB Salesforce Dataset After Ransom Talks Fail
Global real estate firm Cushman & Wakefield confirmed a vishing-enabled breach after ShinyHunters published a 50GB archive of Salesforce records following failed ransom negotiations. A second group, Qilin, has also listed the company on its extortion site. The breach stems from a social engineering call that tricked an employee into providing access. Over 500,000 Salesforce records containing personally identifiable information were exfiltrated. Cybernews
Microsoft Patch Tuesday Arrives Tomorrow — RedSun, UnDefend, and Secure Boot in Focus
Microsoft’s May 12 Patch Tuesday is expected to address the unpatched RedSun and UnDefend Windows Defender zero-days, both confirmed under active exploitation. The update also represents the last practical deployment window before the June 26 Secure Boot certificate expiration deadline — organizations that miss this cycle face boot-level security failures in under seven weeks. Google Chrome 149 is also anticipated alongside tomorrow’s release. Help Net Security
Operation HookedWing: Four-Year Phishing Campaign Steals 2,000+ Credentials From 500 Organizations
SecurityWeek has detailed Operation HookedWing, a sustained credential-harvesting campaign active since 2022 that has targeted aviation, critical infrastructure, energy, financial services, government, logistics, and technology sectors. Attackers send phishing emails impersonating HR departments or colleagues, directing victims to GitHub-hosted pages that simulate Microsoft Outlook login prompts. The operation shows no signs of slowing, with infrastructure still active as of May 2026. SecurityWeek
PAN-OS CVE-2026-0300 Patch Begins Rolling Out May 13 — Interim Mitigations Still Required
Palo Alto Networks begins releasing fixes for CVE-2026-0300 tomorrow. The buffer overflow vulnerability in the User-ID Authentication Portal allows unauthenticated root-level remote code execution and has been under limited active exploitation since at least April 9. Full patch coverage across all affected PAN-OS branches does not complete until May 28. Organizations that cannot patch immediately should restrict Portal access to trusted internal IP addresses only. Help Net Security
ACSC Warns of ClickFix Campaign Distributing Vidar Stealer via Compromised WordPress Sites
Australia’s Cyber Security Centre issued an alert warning organizations of an active ClickFix campaign using hijacked WordPress sites to deliver Vidar Stealer. The attack overwrites legitimate page content with a fake Cloudflare verification prompt, copies a PowerShell command to the clipboard, and instructs victims to execute it with administrator privileges. Vidar Stealer targets browser credentials, MFA tokens, cryptocurrency wallets, and browsing history, then self-deletes to complicate forensic analysis. BleepingComputer
MicroStealer Infostealer Actively Targeting Telecom and Education Sectors
Researchers at Any.Run have documented MicroStealer, an infostealer that has picked up speed since its December 2025 debut, with elevated activity in telecommunications and education environments. The malware spreads through fake software installers hosted on Dropbox and SourceForge and steals browser credentials, session cookies, desktop screenshots, and cryptocurrency wallet files. Its low detection rate among traditional antivirus engines and layered delivery chain give it a significant early-window advantage. CyberSecurityNews
Microsoft Edge Stores All Saved Passwords as Plaintext in Process Memory at Startup
A Norwegian security researcher demonstrated that Microsoft Edge decrypts every stored credential at browser startup and holds them resident in process memory for the entire session — even for sites never visited during that session. Microsoft confirmed the behavior is by design and has not committed to a fix. Unlike Chrome, Brave, and other Chromium-based browsers that only briefly surface plaintext credentials during autofill, Edge’s approach leaves credentials continuously accessible to any process with memory-read access. Dark Reading
Ollama AI Platform: 300,000 Exposed Deployments Await Full Disclosure of Critical Vulnerability
SecurityWeek reports a critical vulnerability affecting Ollama, the popular local AI model runner, with approximately 300,000 internet-exposed deployments at risk. Full technical details are being withheld pending coordinated disclosure, but the flaw affects Ollama instances integrated with AWS, Docker, and Kubernetes environments. Organizations running Ollama in production should ensure it is not exposed to the internet and review network segmentation controls. SecurityWeek
Stay tuned for today’s in-depth analysis posts.
