Week of May 11: Ten Urgent Cybersecurity Incidents and Patches You Must Know

By ⚡ min read

Welcome to our latest threat intelligence roundup. This week, the cybersecurity landscape saw major data breaches at education and retail giants, critical vulnerabilities in popular AI tools, and new attack campaigns targeting unsuspecting users. From exposed student records to WebSocket hijacking flaws, here are the ten most pressing cyber stories you need to understand right now. Use the anchor links below to jump to specific items.

1. Instructure Data Breach Exposes Student Records and Defaces Portals

Instructure, the US education technology company behind the Canvas learning platform, confirmed a major data breach affecting its cloud-hosted environment. The exposed data includes student and staff records, private messages, and other sensitive information. Adding to the damage, the ShinyHunters group escalated the attack by defacing hundreds of school login portals with ransom messages. Similar third-party incidents highlight growing supply chain risks.

Week of May 11: Ten Urgent Cybersecurity Incidents and Patches You Must Know — Source: research.checkpoint.com

2. Zara Customer Data Leaked Through Third‑Party Provider

Zara, the flagship brand of Spanish fashion group Inditex, experienced a data breach tied to a third-party technology provider. Unauthorized access was confirmed, and experts verified that 197,400 unique email addresses, order IDs, purchase history, and customer support tickets were exposed. This incident underscores the importance of vetting vendor security, as seen with other high‑profile breaches this week.

3. Mediaworks Hit by Data‑Theft Extortion Attack

Hungarian media company Mediaworks, which operates dozens of newspapers and online outlets, fell victim to a data-theft extortion attack. The company confirmed an intrusion after the group World Leaks posted 8.5 TB of internal files online. The leaked data reportedly includes payroll records, contracts, financial documents, and internal communications. Such extortion tactics are increasingly common; see also the Škoda incident for a different attack vector.

4. Škoda Online Shop Compromised via Software Flaw

Czech automaker Škoda suffered a security incident affecting its online shop after attackers exploited a software flaw to gain unauthorized access. Exposed customer data may include names, contact details, order history, and logins. However, the company stated that passwords and payment card data were not affected. This incident echoes the Mediaworks breach in its impact on customer trust.

5. Cline AI Coding Agent Hit by Critical WebSocket Hijacking

Researchers uncovered a critical WebSocket hijacking vulnerability in Cline’s local Kanban server, impacting the widely used open-source AI coding agent. Rated CVSS 9.7 and patched in version 0.1.66, the flaw allowed any website a developer visited to exfiltrate workspace data and inject arbitrary commands into the AI agent. This is a stark reminder of how AI assistants can extend attack surfaces.

6. Anthropic’s Claude AI Extension Vulnerable to Hijacking

Security researchers found a flaw in Anthropic’s Claude in Chrome extension that allowed other browser extensions to hijack the AI agent. The issue enabled malicious prompts to trigger unauthorized actions and access sensitive browser-connected data. Together with the Cline vulnerability, it shows how AI tools are becoming prime targets for browser‑based attacks.

7. Fake Claude AI Installer Campaign Delivers Multi‑Stage Malware

Researchers detailed an InstallFix campaign using fake Claude AI installer pages promoted through Google Ads to infect Windows and macOS users. Victims were tricked into running commands that launched multi-stage malware, stole browser data, disabled protections, and established persistence through scheduled tasks. This campaign demonstrates the convergence of AI‑themed social engineering with sophisticated malware.

8. MOVEit Automation Authentication Bypass (CVE‑2026‑4670)

Progress^® alerted customers to CVE‑2026‑4670, a critical authentication bypass in MOVEit Automation managed file transfer software that allows unauthorized access. A separate privilege escalation flaw, CVE‑2026‑5174, was also disclosed. Fixes are available in versions 2025.1.5, 2025.0.9, and 2024.1.8. These vulnerabilities follow a pattern of file‑transfer software being targeted; compare with the other MOVEit issue below.

9. MOVEit Automation Privilege Escalation (CVE‑2026‑5174)

Alongside the authentication bypass, Progress disclosed CVE‑2026‑5174, a privilege escalation flaw in MOVEit Automation. This vulnerability could allow an attacker to gain elevated privileges within the software. The same patched versions (2025.1.5, 2025.0.9, 2024.1.8) address both CVEs. Administrators should prioritize applying these updates, especially given the active exploitation of other zero‑days this week.

10. Ivanti EPMM Zero‑Day Under Active Exploitation (CVE‑2026‑6973)

Ivanti fixed CVE‑2026‑6973, a high‑severity Endpoint Manager Mobile vulnerability exploited as a zero‑day. The flaw affects EPMM 12.8.0.0 and earlier, allowing attackers with administrator permissions to run remote code. Hundreds of appliances remain vulnerable. This incident, combined with the MOVEit flaws, emphasizes the need for rapid patch management.

Conclusion: This week’s threat intelligence reveals a worrying trend: attackers are increasingly targeting AI tools and third‑party integrations, while established software like MOVEit and Ivanti still harbor critical flaws. Organizations must remain vigilant—patch promptly, monitor for unusual activity, and educate users about AI‑themed scams. Stay tuned for next week’s bulletin.