Canvas ransom, Shai-Hulud npm wave, NoName DDoS surge

Summary

The day reads as a confluence of three pressures: brand-name extortion settling into post-breach negotiation rather than legal escalation, an open-source supply chain that keeps re-poisoning developer registries despite repeated cleanups, and a still-active influence-aligned DDoS campaign keeping pace alongside it. Defenders should read the Canvas settlement and the Mini Shai-Hulud cleanup together: the path of least resistance into educational, financial and AI/dev-tooling estates now runs through trusted third parties and shared developer infrastructure, not direct perimeter compromise.

Today's developments

The headline incident was the Instructure / Canvas extortion. The American educational-technology firm Instructure said it reached an agreement with the decentralised extortion crew ShinyHunters after the actor claimed to have exfiltrated approximately 3.65 TB of data from the Canvas learning platform; the company says the agreement involved data being "returned" with digital confirmation of destruction. Industry reporting on the same period notes that Congress has announced an investigation into the incident, framing the deal as a precedent question rather than a closed case. West Pharmaceutical Services confirmed a separate disruptive ransomware attack, taking systems offline globally after exfiltration and file encryption; and BWH Hotels disclosed that threat actors had access to its reservation data for approximately six months, exposing names and contact information for an unspecified number of guests.

Software supply-chain compromise dominated the technical wire. Security researchers reported that the actor known as TeamPCP, behind the recent supply-chain attack spree, has been linked to the Mini Shai-Hulud campaign — over 400 malicious versions of 170 packages published across npm and PyPI, with confirmed compromise of packages from TanStack, UiPath, Mistral AI, OpenSearch and Guardrails AI. Microsoft Incident Response published a deep-dive on a stealthy intrusion operated entirely through legitimate, trusted administrative mechanisms to blend into routine operations and evade detection — an explicit reminder that trust-boundary abuse is now the playbook, not the exception. ThreatFabric flagged a new variant of the TrickMo Android banking trojan using The Open Network (TON) for command-and-control and SOCKS5 to build network pivots — moving operator infrastructure off conventional hostable C2.

Vendor patch volume was unusually concentrated. Apple shipped fixes for dozens of vulnerabilities across macOS and iOS, and back-ported a recent deleted-chats-recovery fix to older iOS versions. SAP patched critical flaws in S/4HANA and SAP Commerce that could allow malicious code injection leading to information disclosure and remote code execution. OpenAI launched Daybreak, a new AI-driven vulnerability-detection and patch-validation initiative built on Codex Security; and Apple shipped iOS 26.5 with default end-to-end encryption for RCS messaging between iPhone and Android in beta.

On the forum-claim side, the picture was sprawling but specific. French anti-graft researcher lazasec claimed a breach against CARMF, the French doctors' pension fund, in healthcare. Niles, in Cyber Threat Intelligence Feeds, claimed an alleged breach of US commercial real-estate firm Cushman & Wakefield. JAX7 claimed an alleged breach of the Indonesian parliament (DPR-RI) citizen-data database, and CIAMIS CYBER TEAM claimed a separate alleged breach of the Banda Aceh city government — two government-administration claims in Indonesia on the same day. Databroker1 advertised approximately 300,000 records allegedly exfiltrated from UAE retailer sivvi.com. BigBrother advertised 1.5 million PII rows allegedly from the Indian platform Guidely.in, xakoji3864 claimed 3.9 million records from the Brazilian fast-food chain habibs.com, and s-root claimed an alleged breach of Syria Gulf Bank. The prolific actor omni777 dumped Spain, Albania, Canada and US targets on the same day under one tag; Bambi claimed France and Vietnam consumer-goods breaches in parallel.

DDoS-shaped activity remained heavy. The pro-Russian crew NoName057(16) was the day's busiest actor with nine separate DDoS claims, and the GENESIS, Big-Bro and omni777 tags together produced another 19 alleged actions. Two further alleged breach posts named US-government-affiliated victims, including the Virginia Department of Wildlife (claimed by w1kkid) and an advertised Cushman & Wakefield database; one separate listing tagged the Kuwait public authority (paci.gov.kw).

Threat landscape signals

Across 157 alleged events the top three actors (NoName057(16), GENESIS, Big-Bro) account for 14 percent of the day's volume, leaving a long tail of one-or-two-claim handles -- consistent with a noisy criminal-and-hacktivist marketplace rather than a few dominant operators. Geographically, US victims dominate at 35 of 157 events, with Austria (9), United Kingdom (9), Indonesia (8), Israel (7), Canada (6) and France (6) clustering behind. Industry visibility is concentrated where attribution is published: government administration (16), non-profit and social organisations (7) and financial services (7) lead the named-vertical rankings. Category split skews to data breach (48) and ransomware (32) over DDoS (27); the Kaspersky 2026 ransomware outlook published Tuesday by Securelist points to EDR killers on the rise and operators shifting from encryption to data-leak extortion, both of which fit the day's pattern -- the Canvas settlement, the West Pharmaceutical takedown and the broad data-broker marketplace all reward access-and-leak over lock-and-restore. Defenders running large educational, retail or government estates should treat third-party administrative trust paths and developer-registry dependencies as today's two highest-value abuse surfaces.