DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/ARCHIVE/RANSOMWARE
DMZ INTEL DESK//FILED: 2026-05-24//16:48Z
CRITICAL#ransomware

ShinyHunters Instructure/Canvas Breach: 275M Records Across 8,809 Institutions Confirmed; Ransom Paid After Second-Wave Portal Defacements During Finals

ShinyHunters exploited a vulnerability in Instructure's Free-for-Teacher account mechanism on April 25, 2026, exfiltrating 3.65 TB of data — approximately 275 million records from 8,809 educational institutions worldwide — including names, email addresses, student IDs, course data, and private messages. After Instructure attempted patching rather than negotiating, ShinyHunters escalated on May 7 by defacing Canvas login portals at ~330 institutions (including Harvard, Princeton, UPenn) during final exam periods, causing widespread outages; Instructure ultimately reached a ransom agreement on May 11, though security researchers warn the stolen dataset enables highly targeted spear-phishing campaigns that reference real course names, instructor identities, and student communications. This is the largest educational data breach on record by scope, and ShinyHunters' second breach of Instructure infrastructure within eight months.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the critical severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.

FILED UNDER:
shinyhunters · instructure · canvas-lms · education-sector · extortion · data-exfiltration · free-for-teacher-vuln · ransom-paid
STAY AHEAD OF THREATS
Daily intel briefs and IOC packages — delivered to your inbox the moment a new advisory drops.
SUBSCRIBE — $29/MO →
SHARE BRIEF:✕ Post on Xin Share on LinkedIn

MORE FROM ARCHIVE

# RANSOMWARE
2026-05-26
NightSpire Ransomware Posts Fresh Victims on May 25–26; Group Now at 265 Claimed Victims Across 52 Countries Amid Suspected RaaS Pivot
# RANSOMWARE
2026-05-26
Nitrogen Ransomware Hits Foxconn North America; 8TB of Client IP Including Apple, Nvidia, Google Schematics Exfiltrated
# RANSOMWARE
2026-05-23
ShinyHunters Breaches Canvas LMS Instructure Third Time in Eight Months — 275M Records, 8,809 Institutions Affected
# RANSOMWARE
2026-05-19
Nitrogen Ransomware Claims 8TB Foxconn Exfiltration Including Confidential Apple, Intel, Google Technical Data from North American Factories