8 May 2026
Week in review
Greetings,
A major cyber incident affecting Canvas, one of the world’s most widely used education platforms, is continuing to evolve. New developments are highlighting both the scale of the exposure and an increasingly aggressive extortion campaign by the perpetrators.
Queensland’s Department of Education has confirmed that students and staff across the state are among those impacted by a global data breach involving Instructure’s Canvas learning management system, which supports the QLearn platform used in schools. Early advice indicates that students or staff who studied or worked in Queensland state schools since 2020 may have had personal information exposed, including names, email addresses and school locations. Authorities have stated that there is currently no evidence that passwords, financial data or government identifiers were accessed.
The incident forms part of a broader global compromise attributed to the ShinyHunters cybercriminal group, which claims to have exfiltrated large volumes of data from Canvas, potentially impacting more than 9,000 institutions and hundreds of millions of users worldwide. In addition to identifying information, the attackers claim to have obtained internal messages exchanged between students, teachers and staff, which could be leveraged in highly targeted phishing or social engineering attacks.
While Instructure has moved quickly to contain the breach and engage forensic experts, the situation escalated further this week. In a related development, ShinyHunters reportedly defaced Canvas login portals for approximately 300 education institutions, briefly replacing them with ransom messages threatening to publish the stolen data by May 12 if demands are not met.
As investigations continue, government agencies and affected institutions are urging vigilance, particularly around unsolicited communications and phishing attempts, while the broader sector grapples with the implications of a breach that has quickly become both a global data privacy incident and an unfolding cyber extortion case.
Palo Alto warns of critical software bug used in firewall attacks
Date: 2026-05-07
Author: The Record
[See also AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.4671.2/]
[AUSCERT has contacted affected members where applicable]
Palo Alto warns of critical software bug used in firewall attacks
Hackers are exploiting a new vulnerability in software from Palo Alto Networks, the company said in an advisory on Wednesday.
The bug is tracked as CVE-2026-0300 and carries a severity score of 9.3 out of 10, indicating a critical issue. A patch has not been published yet and Palo Alto Networks said it will be included in releases over the next two weeks.
Critical vm2 sandbox bug lets attackers execute code on hosts
Date: 2026-05-06
Author: Bleeping Computer
A critical vulnerability in the popular Node.js sandboxing library vm2 allows escaping the sandbox and executing arbitrary code on the host system.
The security issue is tracked as CVE-2026-26956 and has been confirmed to impact vm2 version 3.10.4, although earlier releases may also be vulnerable. Proof-of-concept (PoC) exploit code has been published.
Qld gov says students, staff caught in Canvas cyber incident
Date: 2026-05-07
Author: itnews
The Queensland government says that students and staff working or studying at state schools since 2020 may have been caught up in a breach of global education systems vendor, Instructure.
QLearn, the state's digital learning management platform, is backed by Instructure’s Canvas, which was recently targeted by a well-known threat group.
A case study published by the vendor states that QLearn is used by “1264 K-12 schools, their 572,160 students [and by] 73,000-plus teaching staff.”
Critical Bug Could Expose 300,000 Ollama Deployments to Information Theft
Date: 2026-05-05
Author: Security Week
Roughly 300,000 Ollama deployments are prone to sensitive information theft through a remotely exploitable, unauthenticated critical vulnerability, Cyera warns.
Ollama is an open source solution for running LLMs on local machines and is highly popular among organizations as a self-hosted AI inference engine.
A heap out-of-bounds read issue in Ollama could be exploited to access sensitive information stored on the heap, including prompts, messages, and environment variables, including API keys, tokens, and secrets, Cyera says.
UAT-8302 and its box full of malware
Date: 2026-05-05
Author: CISCO Talos
Talos assesses with high confidence that UAT-8302 is a China-nexus advanced persistent threat (APT) group tasked primarily with obtaining and maintaining long-term access to government and related entities around the world.
Post-compromise activity consisted of information collection, credential extraction, and proliferation using open-source tooling such as Impacket, proxying tools, and custom-built malware.
ESB-2026.4671.2 – Palo Alto PAN-OS: CVSS (Max): 9.3
Palo Alto Networks has disclosed a critical unauthenticated remote code execution vulnerability affecting the PAN-OS User-ID Authentication Portal (Captive Portal). The vulnerability is actively being exploited in the wild.
ESB-2026.4729 – Apache HTTP Server: CVSS (Max): 9.8
Ubuntu has released security updates for Apache HTTP Server addressing multiple vulnerabilities across supported Ubuntu releases, including denial-of-service, information disclosure, authentication bypass and potential remote code execution.
ESB-2026.4673 – IBM QRadar SIEM: CVSS (Max): 10.0
IBM has released security updates for the QRadar Investigation Assistant App addressing multiple third-party component vulnerabilities, including SSRF, remote code execution, prototype pollution, denial-of-service and path traversal.
ESB-2026.4586 – Linux: CVSS (Max): 9.8
Debian has released security updates for the Linux kernel in Debian 12 “bookworm” addressing a large number of vulnerabilities that could lead to privilege escalation, denial-of-service and information disclosure.
ESB-2026.4534 – Google Android: CVSS (Max): 8.8
Google’s May 2026 Android Security Bulletin addresses a critical vulnerability in the Android System component that could allow adjacent remote code execution as the shell user without user interaction.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
