Threat Intelligence RoundUp: May

June 01, 2026

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Instructure hacker claims data theft from 8,800 schools, universities – Bleeping Computer

New posts on ShinyHunters data leak site reveal the threat group allegedly has breached the education technology company Instructure. The group has claimed to have stolen 280 million records connected to students and staff from over 8K colleges, school districts, and online education platforms. Using Canvas data export feature ShinyHunters was able to harvest “hundreds of gigabytes of user records, messages, and enrollment data”. According to the data leak site, ShinyHunters extended their deadline until May 12, claiming some of the affected institutions were engaging with the group. Read full article.

2. 15-year-old detained over French govt agency data breach – Bleeping Computer

French authorities have detained a 15-year-old suspect in connection to the cyberattack on France Titres (ANTS). Using the alias “breach3d”, the suspect was selling between 12 to 18 million records stolen from the ANTS data breach. The minor faces charges for “unauthorized access, persistence, and data exfiltration from a state-run automated personal data processing system, as well as for possession of software that enables the offenses.” These charges carry a maximum sentence of 7 years in prison and a fine of 300K euros. Article here.

3. ShinyHunters Lists New Victims Including Zara, 7-Eleven, and Pitney Bowes in Alleged Data Release – breachnews

On April 22, ShinyHunters released data belonging to multiple organizations including Carnival Corporation, Zara, 7-Eleven, Pitney Bowes, and more. Several of the organizations are associated with the groups previous compromise of Salesforce environments. The site claims each company “failed to reach an agreement” leading to ShinyHunters releasing their data. The datasets are said to include a combination of personally identifiable information, transaction records, and internal corporate data. In multiple instances, ShinyHunters highlighted Salesforce-related records, reinforcing a pattern seen in earlier campaigns linked to misconfigured cloud environments. Read more here.

4. Fake OpenAI repository on Hugging Face pushes infostealer malware – Bleeping Computer

A repository that briefly reached #1 on Hugging Face platform was found delivering information-stealing malware to Windows users. “The repository had typosquatted OpenAI’s legitimate Privacy Filter release, copied its model card nearly verbatim, and shipped a loader.py file that fetches and executes infostealer malware on Windows machines,” states HiddenLayer’s Research Team. The ‘loader.py’ script was designed to look innocent, but behind the scenes, it bypassed security checks, contacted a hidden external server, and ran unauthorized commands on the system. The repository was downloaded over 200K times before being removed. Read here.

5. China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists – The Hacker News

China-linked hackers have conducted an espionage campaign against government and defense sectors in South, East, and Southeast Asia, as well as a European NATO member. Sharing network overlap with CL-STA-0049, Earth Alux, and REF7707, the threat cluster is being tracked as “SHADOW-EARTH-053”. This group takes advantage of known, already-patched vulnerabilities in internet-facing Microsoft Exchange and IIS servers to gain initial access. Once inside, they install web shells (GODZILLA) to maintain control over the system. They then deploy more advanced malware, such as ShadowPad, using DLL sideloading techniques that hide malicious code inside legitimate, signed programs. Learn more.

6. GlassWorm malware attacks return via 73 OpenVSX “sleeper” extensions – Bleeping Computer

The Glassworm campaign has begun targeting the OpenVSX ecosystem with 73 “sleeper” extensions that become “malicious after an update”. Socket researchers claim 6 of the extensions have been activated and deliver malware, with the other 67 are currently dormant. The latest wave indicates a shift in the attacker’s approach. Instead of embedding malicious code directly within extensions, they first submit seemingly harmless versions to a single ecosystem, then introduce the malicious payload in a later update. Socket also found that the 73 extensions involved in the most recent GlassWorm campaign are clones of legitimate listings, intended to deceive developers who rely primarily on visual cues rather than closely examining the details. Read full article.

7. Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation – The Hacker News

FamousSparrow, a Chinese affiliate threat group, has been linked to a “multi-wave intrusion” targeting an Azerbaijani oil and gas company from December 2025 to February 2026. Leveraging a vulnerable Microsoft Exchange server the threat actor was able to swap backdoors during each re-entry. The attack enabled the staged deployment of two separate backdoors across three infection waves: Deed RAT (also known as Snappybee), a ShadowPad successor leveraged by several China-linked espionage groups, and TernDoor, a malware strain recently identified in campaigns targeting telecommunications infrastructure in South America. Read full article.

8. US charges suspected Dream Market admin arrested in Germany – Bleeping Computer

The main administrator of the now defunct darknet marketplace, Dream Market, has been indicted by a federal grand just on money laundering charges. Owe Martin Andreson was charged with “six counts of international concealment money laundering and six counts of concealment money laundering” and with each charge having a possible 20-year prison sentence. Operating under the handle, “Speedstepper”, Andresen accessed dormant Dream Market wallets and moved millions of dollars to other accounts. German authorities have arrested Andresen and charged him with additional charges of concealment money laundering. The DOJ claims that in total Andresen is “alleged to have laundered over $2 million between August 2023 and April 2025.” Learn more.