DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/ARCHIVE/RANSOMWARE
DMZ INTEL DESK//FILED: 2026-05-25//00:47Z
CRITICAL#ransomware

ShinyHunters Breaches Instructure Canvas LMS Twice in Two Weeks — 275 Million Records Across 8,809 Educational Institutions Exfiltrated in Largest Education Sector Breach on Record

ShinyHunters exploited a vulnerability in Instructure's Free-For-Teacher account mechanism on April 25, 2026, exfiltrating 3.65 TB of data covering approximately 275 million student, teacher, and staff records from 8,809 institutions globally including Harvard, Stanford, Columbia, and Princeton. After Instructure failed to meet the May 6 deadline, ShinyHunters escalated by defacing Canvas login portals at roughly 330 institutions on May 7, knocking the platform offline during final exam periods, before Instructure reportedly reached a ransom agreement on May 11. The breach is the largest educational sector compromise on record and arms threat actors with billions of private messages plus institutional context ideal for precision spear-phishing against students, parents, and faculty — the downstream secondary exploitation risk is high and likely ongoing.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the critical severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.

FILED UNDER:
shinyhunters · canvas-lms · instructure · education-sector · double-extortion · data-exfiltration · free-for-teacher-vuln · spear-phishing-risk
STAY AHEAD OF THREATS
Daily intel briefs and IOC packages — delivered to your inbox the moment a new advisory drops.
SUBSCRIBE — $29/MO →
SHARE BRIEF:✕ Post on Xin Share on LinkedIn

MORE FROM ARCHIVE

# RANSOMWARE
2026-05-26
NightSpire Ransomware Posts Fresh Victims on May 25–26; Group Now at 265 Claimed Victims Across 52 Countries Amid Suspected RaaS Pivot
# RANSOMWARE
2026-05-26
Nitrogen Ransomware Hits Foxconn North America; 8TB of Client IP Including Apple, Nvidia, Google Schematics Exfiltrated
# RANSOMWARE
2026-05-24
ShinyHunters Instructure/Canvas Breach: 275M Records Across 8,809 Institutions Confirmed; Ransom Paid After Second-Wave Portal Defacements During Finals
# RANSOMWARE
2026-05-23
ShinyHunters Breaches Canvas LMS Instructure Third Time in Eight Months — 275M Records, 8,809 Institutions Affected