DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/ARCHIVE/RANSOMWARE
DMZ INTEL DESK//FILED: 2026-05-23//08:51Z
CRITICAL#ransomware

ShinyHunters Breaches Canvas LMS Instructure Third Time in Eight Months — 275M Records, 8,809 Institutions Affected

ShinyHunters exploited a vulnerability in Instructure's Free-For-Teacher accounts to exfiltrate 3.65 TB of data claiming 275 million records across 8,809 educational institutions globally — the largest education sector breach on record. After Instructure declined to negotiate, the group defaced Canvas login portals at approximately 330 institutions and pivoted to direct school-by-school extortion. KrebsOnSecurity analysis reveals this is at least the third ShinyHunters compromise of Instructure in eight months, with the September 2025 University of Pennsylvania breach now appearing to have been a proof-of-concept run against the same access path.

After Instructure declined to negotiate, the group defaced Canvas login portals at approximately 330 institutions and pivoted to direct school-by-school extortion.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the critical severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.

FILED UNDER:
shinyhunters · instructure · canvas-lms · edtech · double-extortion · salesforce-abuse · supply-chain
STAY AHEAD OF THREATS
Daily intel briefs and IOC packages — delivered to your inbox the moment a new advisory drops.
SUBSCRIBE — $29/MO →
SHARE BRIEF:✕ Post on Xin Share on LinkedIn

MORE FROM ARCHIVE

# RANSOMWARE
2026-05-26
NightSpire Ransomware Posts Fresh Victims on May 25–26; Group Now at 265 Claimed Victims Across 52 Countries Amid Suspected RaaS Pivot
# RANSOMWARE
2026-05-26
Nitrogen Ransomware Hits Foxconn North America; 8TB of Client IP Including Apple, Nvidia, Google Schematics Exfiltrated
# RANSOMWARE
2026-05-24
ShinyHunters Instructure/Canvas Breach: 275M Records Across 8,809 Institutions Confirmed; Ransom Paid After Second-Wave Portal Defacements During Finals
# RANSOMWARE
2026-05-19
Nitrogen Ransomware Claims 8TB Foxconn Exfiltration Including Confidential Apple, Intel, Google Technical Data from North American Factories