Instructure's agreement, Shai Hulud campaign, OpenAI's Daybreak

Added: 2026-05-14

[00:00:00]From the CISO series, it's cybersecurity headlines.

[00:00:06]These are the cybersecurity headlines for Wednesday, May 13th, 2026. I'm Rich Stroffolino.

[00:00:12]Instructure reaches an agreement with ShinyHunters. In things that won't come back to bite them later news, Instructure, the company that makes the edtech platform Canvas, said it reached an agreement with the group that breached their systems twice in 2 weeks, ShinyHunters. The company said the group provided evidence that the stolen data from its systems was destroyed and received assurance that Canvas customers would not be extorted. No word on any specific financial terms paid by Instructure or what meaningful assurance they could have possibly received.

[00:00:42]ShinyHunters removed Instructure from its leak site.

[00:00:46]Shai Halud campaign is back. Since its appearance last September, the campaign by Team PCP has undergone several iterations, all focused on supply chain attacks to steal developer credentials.

[00:00:57]This latest effort saw the group use valid OpenID Connect tokens to publish dozens of malicious packages for TanStack on NPM before spreading to other projects such as Minstrel AI, OpenSearch, and UiPath. Since these used valid tokens, developers saw them as cryptographically authentic. Andor Labs highlights a novel trick used by the campaign, an orphan commit pushed to a TanStack fork, making it accessible through GitHub's shared fork object storage. This commit was then referenced in the malicious dependencies. Once infected, the infostealer malware writes itself to VS Code and Cloud Code autorun hooks, ensuring it persists even after uninstallation. The malware implements geofencing logic to prevent execution when Russian language settings are detected and includes probabilistic recursive wipe commands if the environment appears to be in Israel or Iran.

[00:01:49]OpenAI launches Daybreak. This new cybersecurity initiative uses OpenAI's Codex security and several GPT-5.5 models to create an editable threat model for a repository with an emphasis on real-world attack paths and high-impact code. It will then test vulnerabilities in a sandbox and propose mitigations and full-out fixes.

[00:02:09]Daybreak isn't generally available yet.

[00:02:12]On its launch site, users can request a vulnerability scan or contact sales to request access.

[00:02:17]Like the Mythos rollout, OpenAI says it's working with industry and government partners to get ready to deploy these kinds of cyber capable models.

[00:02:25]EU members exporting surveillance tech.

[00:02:28]According to export records obtained through Freedom of Information requests by Human Rights Watch, six European Union member countries have exported surveillance tech to countries with previous records of human rights abuses.

[00:02:39]Bulgaria, the Czech Republic, Denmark, Finland, and Poland sold surveillance technologies to over two dozen countries with documented cases of repressing activists and journalists.

[00:02:48]This may only represent a subset of the countries involved in the practice as France, Germany, Greece, Italy, and Spain declined to share any export data.

[00:02:57]The data obtained by Human Rights Watch does not specify the names of the companies exporting the tech.

[00:03:02]The EU introduced regulations in 2021 to heavily regulate the export of surveillance technologies.

[00:03:09]>> [music] >> And now a huge thanks to our sponsor for today, Dopple.

[00:03:12]Social engineering attacks look trustworthy. [music] Routine request, an internal email, a familiar face on a call. But Dopple sees through the disguise. Their AI native platform detects and disrupts attacks across every channel [music] while training employees to recognize deepfakes and deception. They fight relentlessly to protect your business, brand, and people.

[00:03:34]Dopple, outpacing what's next in social engineering. Learn more at [music] dopple.com. That's d o p p e l.com.

[00:03:43][music] The government giveth and taketh away AI models. Last week, the US Commerce Department announced that it reached an agreement with Google, xAI, and Microsoft to test these models for security vulnerabilities on their systems ahead of their general release.

[00:03:59]However, this week the US Commerce Department removed that announcement from its site. No word from the department on why the change was made, if this materially affects any deal, or they just took down the announcement. In related news, the Pentagon announced it's deploying Anthropic's Mythos model to look for vulnerabilities across the US government. According to DoD Chief Technology Officer Emilio Michael, the Pentagon still plans to remove Anthropic products from its work in the coming months, but said that Mythos represented a national security moment.

[00:04:28]Android gets intrusion logging. Google announced a new feature for Android, developed in partnership with Amnesty International, called intrusion logging.

[00:04:36]This is a feature of Android advanced protection mode and is designed to provide logs specifically made for forensic investigations. These logs will record security incidents such as unlocking, physical access to a device, and the installation or removal of spyware. At launch, this is only available on Android 16 and only on Pixel devices. Amnesty International frames this as the first major vendor to proactively address the challenge of detecting advanced attacks on device.

[00:05:04]Cross-platform end-to-end encrypted RCS arrives on mobile. Apple and Google announced a beta rollout of end-to-end encrypted rich communication services or RCS messaging. The rollout implements the GSM Association's RCS Universal Profile 3.0.

[00:05:20]This will be available on iOS 26.5 and the latest version of Google Messages, although availability still relies on carrier activation. Encrypted messages will show a lock icon in chat. This feature will be enabled by default, with Apple committing to applying encryption to existing RCS threats as well.

[00:05:38]Up until now, Android and iOS have each had native end-to-end messaging, but this didn't extend cross-platform.

[00:05:46]West Pharmaceutical still recovering from ransomware. According to filings with the US Securities and Exchange Commission, the pharma giant West Pharmaceutical Services suffered a ransomware attack on May 4th, causing a proactive shutdown and isolation of affected on-premise infrastructure. This caused a temporary disruption to the company's business operations globally.

[00:06:04]As of this recording, core enterprise systems and processes around shipping, receiving, and manufacturing have restarted at some locations, but the company does not yet have a complete timeline for a full restore.

[00:06:15]No known ransomware group has claimed responsibility for the attack, which may indicate that a ransom was paid. It's unclear what data was stolen and how many people might have been impacted.

[00:06:25]RubyGems suspends account sign-ups. The standard package manager for Ruby, creatively named RubyGems, announced it's dealing with a major malicious attack. This has impacted hundreds of packages, although those are mostly targeting RubyGems itself, but some carry active exploits. As a result, it temporarily suspended new account sign-ups. No word on who is behind the attack. The company securing RubyGems, men.io, said it will release more details once it contains the attack.

[00:06:54]Remember to register for this week's Super Cyber Friday event, Hacking the Cloud Security Playbook. We'll be spending an hour digging into what's changed in cloud security in the age of AI development, what principles are holding fast, and what needs to adapt to the shifting landscape. Head on over to our events page to register. And if you share the event on LinkedIn, you'll have a chance to win some CISO Series swag live on the show. We do it right up front, you'll know if you're a winner.

[00:07:18]See you there. And if you have some thoughts about the news from today, or about the show in general, be sure to reach out to us [email protected].

[00:07:25]We'd love to hear from you. Reporting for the CISO Series, I'm Rich Stroffolino, reminding you to have a super sparkly day.

[00:07:34]>> [music] >> Cyber Security headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.

[00:07:43]>> [music]