Welcome to this week’s cyber threat roundup for May 11. We cover major data breaches hitting education tech giant Instructure and fashion leader Zara, a massive extortion incident at Hungarian media company Mediaworks, and a security incident at automaker Škoda’s online shop. In the AI realm, critical vulnerabilities were discovered in the Cline coding agent and the Claude browser extension, while a malicious ad campaign targets Claude users. Finally, urgent patches from Progress and Ivanti address high-severity flaws. Below, we answer key questions about these events.
What major data breach affected Instructure, the company behind the Canvas learning platform?
Instructure, the U.S. education technology firm that owns the widely used Canvas learning management system, confirmed a significant data breach in its cloud-hosted environment. The attackers accessed sensitive information including student and staff records, private messages, and other internal data. The infamous threat group ShinyHunters escalated the incident by defacing hundreds of school login portals with ransom demands. This breach underscores the ongoing risks to educational institutions that rely on third-party platforms, as even well-secured cloud environments can be compromised. The stolen data could lead to identity theft, phishing attacks, and reputational damage for affected schools. Instructure has not yet disclosed the exact number of users impacted, but the incident affects institutions globally. Follow the link for more details on how this breach unfolded.
How did Zara's parent company Inditex suffer a data leak through a third-party provider?
Zara, the flagship fast-fashion brand under the Spanish group Inditex, experienced a data breach tied to a third-party technology vendor. While Zara itself was not directly compromised, the attacker gained unauthorized access to systems managed by the external provider. Security experts verified that 197,400 unique email addresses, along with order IDs, purchase histories, and customer support tickets, were exposed. This incident highlights the critical supply chain risk that third-party relationships pose—even when the primary company’s own defenses are strong. Inditex has confirmed the breach and is working to notify affected customers. The exposed data, though not including payment card details, could be used for targeted phishing or social engineering attacks against Zara shoppers. The incident reinforces the need for rigorous vendor risk assessments and continuous monitoring of third-party access. Learn more by clicking here.
What happened to Hungarian media company Mediaworks following a data-theft extortion attack?
Mediaworks, a Hungarian media conglomerate operating dozens of newspapers and online outlets, fell victim to a severe data-theft extortion attack. The group World Leaks posted 8.5 terabytes of internal files online, including payroll records, contracts, financial documents, and internal communications. Mediaworks confirmed the intrusion after the data dump went public. The attackers likely used extortion tactics, threatening to release more data unless a ransom was paid. This incident demonstrates how media companies—often with vast, sensitive archives—are prime targets for ransomware-like operations that combine data theft with extortion. The leaked information could have legal, financial, and reputational consequences. Mediaworks is currently investigating and working to mitigate further damage. For a deeper dive into the attack, check this section.
How did a security incident affect Škoda's online shop, and what customer data was exposed?
Czech automaker Škoda reported a security incident on its online shop after attackers exploited a software flaw to gain unauthorized access. The breach potentially exposed customer names, contact details, order history, and login information. However, the company emphasized that passwords and payment card data were not compromised. The vulnerability was in a software component of the e‑commerce platform, not a direct hack of Škoda’s core systems. This incident serves as a reminder that even well-known brands can be affected by common web application flaws. Customers are advised to reset passwords if they used the same credentials elsewhere. Škoda is working with security experts to patch the vulnerability and has notified relevant authorities. For additional context, see the full coverage.
What critical AI security flaws were discovered in the Cline coding agent and the Claude browser extension?
Two significant AI security vulnerabilities emerged this week. First, researchers uncovered a WebSocket hijacking flaw in Cline’s local Kanban server, rated CVSS 9.7 (critical). This bug allowed any website a developer visited to exfiltrate workspace data and inject arbitrary commands into the AI coding agent. It was patched in version 0.1.66. Second, a flaw in Anthropic’s Claude browser extension for Chrome allowed other extensions to hijack the AI agent, enabling malicious prompts to trigger unauthorized actions and access sensitive browser-connected data. These issues illustrate how AI assistants expand the attack surface of browsers and development environments. Developers and users should immediately update to the latest versions. For more details, visit the AI threats section.
How is the InstallFix campaign using fake Claude AI installers to infect users?
Security researchers detailed an InstallFix campaign that uses fake Claude AI installer pages promoted through Google Ads to infect both Windows and macOS users. Victims are lured by ads that appear legitimate, then tricked into running commands that launch a multi-stage malware infection process. The malware steals browser data, disables system protections, and establishes persistence through scheduled tasks. This campaign preys on the growing interest in AI tools, especially attractive installers for popular models like Claude. Users should avoid downloading software from advertisements and always use official sources. The threat highlights how cybercriminals leverage trending technology like AI to distribute malware. Read the full analysis here.
Which critical vulnerabilities were fixed by Progress and Ivanti this week?
This week saw patches for several critical flaws. Progress warned customers about CVE-2026-4670, a critical authentication bypass in MOVEit Automation managed file transfer software that allows unauthorized access, and CVE-2026-5174, a privilege escalation flaw. Fixes are available in versions 2025.1.5, 2025.0.9, and 2024.1.8. Ivanti fixed CVE-2026-6973, a high-severity Endpoint Manager Mobile vulnerability actively exploited as a zero-day. It affects EPMM 12.8.0.0 and earlier, allowing attackers with administrator permissions to execute remote code. Hundreds of appliances may be at risk. Administrators should apply patches immediately and review their security posture. For patch details and affected versions, see the vulnerabilities section.