The modern enterprise is no longer breached in the traditional sense. Firewalls remain intact; endpoints appear compliant, and credentials are often never “stolen” in the usual way. Yet attackers still get in—and stay in. The difference lies in how trust is being weaponized.  

Threat actors are executing what looks like a supply chain attack without ever touching the actual supply chain infrastructure. Instead, they exploit the implicit trust organizations place in browsers, third-party services, and user behavior. 

This shift represents a quiet but dangerous evolution in supply chain cybersecurity. It’s less about breaking systems and more about bending them, using legitimate access paths to bypass defenses that were designed to stop intrusion, not misuse. 

The Rise of “Invisible” Supply Chain Attacks 

Traditional software supply chain attack scenarios often involve tampering with code libraries, compromising vendors, or injecting malicious updates. Those risks still exist, but attackers are now pursuing a lighter, faster approach: manipulating user-facing workflows that rely on trusted platforms. 

In recent campaigns, phishing pages masquerade as routine services—identity verification tools, account recovery portals, or internal workflows. What makes these attacks stand out is not just the deception, but the permissions they request. Instead of asking for passwords, they request access to cameras, microphones, and device-level metadata. 

This tactic transforms a simple phishing attempt into a sophisticated supply chain attack example—one where the “chain” is not software distribution, but user trusts in familiar digital processes. 

Once permissions are granted, the attack doesn’t need to escalate privileges. It already has them. 

When Browsers Become Data Exfiltration Tools 

Modern browsers are powerful. They support APIs for video capture, audio recording, geolocation, and device fingerprinting. These capabilities are designed for legitimate applications—but in the wrong hands, they become surveillance tools. 

Attackers embed scripts within phishing pages that activate these features immediately after permission is granted. Within seconds, they can: 

• Capture images and short video clips from the user’s camera  

• Record audio through the microphone  

• Collect device details such as OS, browser version, and memory  

• Approximate location and network characteristics  

This isn’t brute-force hacking. It’s precision harvesting. 

The data is then quietly transmitted to attacker-controlled systems, often using simple channels like messaging bots. There’s no need for complex infrastructure, which makes detection even harder. 

From a supply chain cybersecurity perspective, this is particularly concerning. The browser—arguably one of the most trusted components in enterprise environments—becomes the weakest link. 

QR Codes and the Expansion of the Attack Surface 

Another variation of this evolving threat involves QR codes embedded in seemingly legitimate documents. This technique, often called “quishing,” shifts the attack from desktops to mobile devices. 

An employee receives a polished PDF—perhaps an HR document or compliance guide. It looks authentic, reads well, and builds credibility. Then, at the end, it asks the user to scan a QR code for more information. 

That scan leads to a phishing site. 

Because QR codes obscure the underlying URL, they bypass many traditional email filters. On mobile devices, where users are less likely to scrutinize links, the success rate increases dramatically. 

This approach represents another subtle supply chain attack example: attackers are exploiting trusted communication formats—PDFs, QR codes, and mobile workflows—to deliver malicious payloads without triggering alarms. 

Adversary-in-the-Middle: The New Credential Theft 

Credential harvesting has also evolved. Instead of simply collecting usernames and passwords, attackers now position themselves between the user and the legitimate service. 

This adversary-in-the-middle (AITM) technique allows them to intercept: 

• Login credentials  

• Multi-factor authentication (MFA) codes  

• Session tokens  

In effect, they don’t just log in—they become the user. 

This is particularly damaging in enterprise environments where MFA was once considered a strong defense. It highlights a critical gap in how to prevent supply chain attacks: focusing solely on authentication is no longer enough. Continuous verification and behavioral monitoring are now essential. 

Why These Attacks Work 

What makes these campaigns effective isn’t just technical sophistication—it’s psychological alignment. Every step mimics something users already trust: 

• Identity verification flows  

• Corporate documents  

• QR-based access to resources  

• Familiar login interfaces  

Attackers are not introducing new behaviors; they are blending into existing ones. 

This is why traditional defenses struggle. Security tools are designed to detect anomalies, but these attacks look normal—because they are built on legitimate features. 

Rethinking Defense: From Perimeter to Context 

Defending against this new class of software supply chain attack requires a shift in mindset. Organizations must move beyond perimeter-based security and adopt a context-driven approach. 

Key strategies include: 

• Strict permission governance: Limit browser access to sensitive hardware unless necessary  

• Behavioral monitoring: Detect unusual patterns in device usage and data access  

• Zero Trust architecture: Continuously verify users, devices, and sessions  

• User awareness: Train employees to question permission requests, not just links  

Understanding how to prevent supply chain attacks now means recognizing that the “supply chain” includes user interactions, browser capabilities, and third-party workflows—not just software dependencies. 

Strengthening Endpoint Resilience with Cyble Titan 

https://www.youtube.com/watch?v=NS7XHdNpkyE

As attackers exploit trusted access points, endpoint visibility becomes critical. This is where platforms like Cyble Titan play a strategic role. 

Cyble Titan is designed to go beyond traditional endpoint protection. It brings together real-time telemetry, threat intelligence, and automated response into a unified platform. Rather than relying on static rules, it continuously analyzes behavior across endpoints, detecting subtle anomalies that indicate misuse of legitimate tools. 

Key strengths include: 

• Real-time visibility: Deep insights into processes, file activity, and user behavior  

• Intelligence-driven detection: Integration with threat intelligence for contextual awareness  

• Automated response: Rapid containment to reduce attacker dwell time  

• Cross-platform coverage: Coverage for environments across Windows, Linux, and macOS  

In the context of supply chain cybersecurity, this level of visibility is essential. When attacks don’t “break in” but instead operate within trusted boundaries, detection depends on understanding what shouldn’t be happening, even if it looks normal on the surface. 

Trust Is the New Attack Surface 

The definition of a breach is changing. It’s no longer about unauthorized access—it’s about unauthorized use of authorized access. 

These emerging supply chain attack examples demonstrate that attackers are adapting faster than traditional defenses. They are leveraging trust, not bypassing it. And that makes them harder to detect, harder to prevent, and potentially more damaging. 

Organizations that want to stay ahead must rethink how to prevent supply chain attacks. That means focusing on context, behavior, and continuous verification—not just barriers. 

Ready to see how modern endpoint security can close these gaps? Explore Cyble Titan and experience a more intelligent approach to defending against today’s most deceptive threats.  

Request a demo and evaluate how real-time visibility and AI-driven detection can strengthen your security posture from the inside out. 

The post Third-Party Breaches Without Breaches: How Attackers Use Trusted Access to Bypass US Enterprise Defenses appeared first on Cyble.

💾

Trellix, the global cybersecurity firm formed from the merger of McAfee Enterprise and FireEye, has confirmed unauthorized access to a portion of its source code repository, with the RansomHouse ransomware group formally claiming responsibility for the attack.

Trellix reported a data breach involving unauthorized access to a portion of its source code repository, which was disclosed publicly around May 2, 2026.

Upon discovering the intrusion, Trellix immediately engaged leading forensic experts to investigate and has notified law enforcement authorities.

In an official statement published on its website, the company said: “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited”.

The RansomHouse ransomware group formally named Trellix on its dark web leak site, claiming the compromise occurred on April 17, 2026.

The group published multiple screenshots reportedly demonstrating access to Trellix’s internal services and management dashboards, though they have not specified the volume of data exfiltrated or its nature.

Notably, RansomHouse listed the breach status as “Evidence Depends on You,” a hallmark tactic used to pressure victims into negotiations before releasing stolen data publicly.

RansomHouse is a sophisticated ransomware-as-a-service (RaaS) group known for deploying a unique ransomware variant called Mario ESXi, whose code shares lineage with the leaked Babuk ransomware source code, alongside a tool called MrAgent to target both Windows and Linux-based virtualized environments.

The group typically targets VMware ESXi infrastructure and exploits weak domain credentials and monitoring systems to gain privileged access.

RansomHouse distinguishes itself by positioning itself as a “professional mediator community,” often seeking payment for data deletion rather than decryption.

The full extent of the data exposure remains unspecified, and Trellix has not confirmed whether corporate or customer data beyond source code was accessed.

Preliminary investigations indicate no evidence that the software distribution pipeline or customer-facing products were tampered with.

The incident highlights the growing trend of ransomware groups targeting cybersecurity vendors themselves, organizations whose proprietary source code, if weaponized, could have far-reaching consequences for enterprise defenses globally.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Trellix Breach – RansomHouse Claims Access to Parts of Source Code appeared first on Cyber Security News.

In this weekly roundup from The Cyber Express, the global cybersecurity landscape continues to show rapid and uneven change, shaped by both regulatory shifts and escalating cyber threats. Governments are tightening oversight of new technologies such as artificial intelligence, while threat actors are simultaneously refining their techniques to exploit businesses, infrastructure, and end users across multiple platforms.  This edition of cybersecurity news brings together some of the most important developments of the week, ranging from significant amendments to the European Union’s AI Act to the expansion of malware campaigns into macOS environments and the discovery of a critical vulnerability in widely used enterprise firewall software.   It also covers major sentencing in a global ransomware case and a fresh warning from the FBI about the growing scale of cyber-enabled cargo theft targeting logistics and supply chain organizations. 

The Cyber Express Weekly Roundup 

EU Updates AI Act with Simpler Rules and New AI Content Bans 

In a significant regulatory update, the European Union has agreed to revise parts of the EU AI Act. The updated framework aims to simplify compliance requirements for businesses while simultaneously introducing stricter restrictions on harmful AI-generated content. Read more.. 

ClickFix Malware Campaign Expands to macOS 

Another key development is the expansion of the ClickFix malware campaign beyond Windows systems. Security researchers at Microsoft have confirmed that the operation is now targeting macOS users using deceptive troubleshooting content. Read more... 

Critical PAN-OS Vulnerability Enables Remote Code Execution 

A critical security flaw has been identified in Palo Alto Networks’ PAN-OS firewall software. Tracked as CVE-2026-0300, the vulnerability carries a CVSS score of 9.3, indicating severe risk. The issue originates from a buffer overflow vulnerability in the User-ID Authentication Portal. Read more... 

Latvian Cybercriminal Sentenced in Global Ransomware Case 

Latvian national Deniss Zolotarjovs has been sentenced to 102 months in prison for his role in a large-scale ransomware operation. According to the U.S. Department of Justice, the group operated under multiple ransomware brands, including Conti, Royal, Akira, and Karakurt. Between 2021 and 2023, the organization carried out attacks against more than 54 companies worldwide, using data theft and encryption-based extortion tactics to pressure victims into paying ransom demands. Read more... 

FBI Warns of Rising Cyber-Enabled Cargo Theft 

The FBI has issued an alert regarding a sharp rise in cyber-enabled cargo theft. Criminal actors are using impersonation techniques to pose as legitimate logistics providers, allowing them to intercept and redirect freight shipments. The agency noted that logistics, shipping, and insurance companies have been targeted since at least 2024. Read more... 

Weekly Takeaway 

This week’s The Cyber Express weekly roundup highlights the growing convergence of regulatory change, advanced malware threats, critical infrastructure vulnerabilities, ransomware enforcement actions, and supply chain fraud. As the global cybersecurity landscape continues to evolve, organizations across all sectors remain under increasing pressure to strengthen defenses and adapt to emerging risks. 

Leading cybersecurity firm Trellix is actively investigating a potential security incident following claims made by the RansomHouse extortion group. The threat actors recently listed Trellix on their dark web leak site, alleging a successful cyberattack against the prominent security vendor. The RansomHouse Breach Claims Threat intelligence platform VenariX first highlighted the development, noting on X […]

The post Trellix Investigates RansomHouse Breach Claims Involving Source Code Repository appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

The post Omani Government Targeted in Blatant Iranian-Nexus Cyberespionage appeared first on Daily CyberSecurity.

ASEC Blog publishes Ransom & Dark Web Issues Week 1, May 2026         Guatemalan Government Agency Data Sold on DarkForums BlackWater Ransomware Attack Targets Chinese Auto Parts Manufacturer Japanese Fintech Firm Suffers Unauthorized GitHub Access

A major QLearn cybersecurity incident has affected thousands of educational institutions globally, including Queensland state schools and universities, after a cyber breach involving third-party education technology provider Instructure exposed personal information linked to students and staff. Queensland Education Minister John-Paul Langbroek confirmed the incident in an official statement, saying the Queensland Department of Education was briefed about the international cybersecurity breach involving Instructure, the provider behind the Department’s online learning platform, QLearn. According to early assessments, the breach may affect more than 200 million people and over 9,000 institutions worldwide, making it one of the largest education-sector cybersecurity incidents disclosed this year.

QLearn Cybersecurity Incident Impacts Queensland Schools

The Department of Education said students and staff who have worked or studied at Education Queensland schools since 2020 may have been affected by the QLearn cybersecurity incident. Authorities stated that compromised information currently appears limited to names, email addresses, and school locations. Officials added there is currently no evidence that passwords, dates of birth, or financial information were accessed during the breach. The online learning platform QLearn was introduced in Queensland schools in 2020 under the previous government and has since become a widely used digital education system across the state. Minister Langbroek said school principals have already begun contacting affected families and teachers to notify them about the breach and provide further guidance. “This morning I have been briefed by the Department of Education about an international cybersecurity breach involving a third-party provider, Instructure, which delivers the Department’s online learning platform, QLearn,” Langbroek said in the statement.

Instructure Data Breach Raises Concerns Across Education Sector

The QLearn cybersecurity incident has once again highlighted the growing cybersecurity risks facing the global education sector, particularly as schools and universities continue relying heavily on third-party digital learning platforms. Because the breach involves Instructure, a provider serving institutions across multiple countries, the incident extends far beyond Queensland. Authorities indicated that educational institutions across Australia and overseas are also impacted. While officials stressed that no sensitive financial or authentication data has been identified as compromised so far, cybersecurity experts often warn that exposed personal information such as names and email addresses can still be valuable to cybercriminals. Threat actors frequently use this type of information in phishing campaigns, identity-based scams, and social engineering attacks targeting students, parents, and school employees. The Department of Education has not publicly disclosed how the cybersecurity breach occurred or whether any ransomware or unauthorized network access was involved. Investigations into the incident are ongoing.

Queensland Department Prioritizes Support for Vulnerable Families

In response to the QLearn cybersecurity incident, the Queensland Department of Education said it is prioritizing support for vulnerable individuals and families potentially affected by the breach. According to the Minister’s statement, the Department is providing priority assistance to families and teachers with known family and domestic violence concerns, as well as individuals connected to Child Safety services. The additional support measures appear aimed at reducing potential risks associated with the exposure of school-related location information and contact details. Government agencies increasingly recognize that cybersecurity incidents affecting education systems can carry broader safety implications, especially for vulnerable groups whose personal or location-related information may require additional protection.

Global Education Sector Continues Facing Cybersecurity Threats

The QLearn cybersecurity incident adds to a growing list of cyberattacks and data breaches targeting educational institutions worldwide. Schools, universities, and online learning providers have become frequent targets due to the large amount of personal information they manage and the widespread use of interconnected digital platforms. Education systems often rely on multiple third-party vendors for online learning, communications, and student management services, increasing the potential attack surface for cybercriminals. The Queensland Department of Education said it will continue updating the public as more information becomes available from the ongoing investigation into the breach. At this stage, authorities have not advised affected individuals to reset passwords or take additional security measures, though officials are continuing to assess the full scope and impact of the incident. The investigation into the Instructure-related breach remains active as educational institutions worldwide work to determine the extent of the exposure and any potential long-term cybersecurity implications.

ShinyHunters breached Instructure and Vimeo, exposing millions of student and user records through direct and supply chain attacks.

The post Critical OpenMRS Flaws Enable Patient Data Theft and Remote Server Takeover appeared first on Daily CyberSecurity.

Hackers stole data of 119,000 Vimeo users in April. The breach, linked to a third‑party vendor, exposed personal details.

Vimeo confirmed a data breach after the ShinyHunters gang stole personal information of 119,000 users in April 2026. According to Have I Been Pwned, the attackers accessed user data through a compromise at Anodot, a third‑party analytics vendor.

“In April 2026, the ShinyHunters extortion group listed Vimeo on their extortion portal as part of their “pay or leak” campaign. They subsequently published hundreds of gigabytes of data, predominantly consisting of video titles, technical data and metadata.” reported Have I Been Pwned.”The data also included 119k unique email addresses, sometimes accompanied by names. Vimeo attributed the exposure to a breach of Anodot, a third-party analytics vendor, and advised the incident does not include “Vimeo video content, valid user login credentials, or payment card information”.”

Vimeo confirmed that the security incident is linked to a breach at Anodot. An unauthorized actor accessed some Vimeo user and customer data, mainly technical information, video titles, metadata, and in some cases email addresses.

“Vimeo is aware of a security incident affecting Anodot, a third-party analytics vendor used by Vimeo and many other companies. The Google Threat Intelligence report associated with the unauthorized actor claiming responsibility for the Anodot incident can be found at this link.” reads the notice on the security incident published by the company.

We have identified that, as a result of the Anodot breach, an unauthorized actor accessed certain Vimeo user and customer data. Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses.”

The company said no video content, login credentials, or payment data were exposed, and services were not disrupted. In response, Vimeo disabled Anodot access, removed the integration, engaged external security experts, and notified law enforcement.

The investigation is still ongoing, and updates will be shared as more details emerge.

After Vimeo’s disclosure, the ShinyHunters cybercrime group leaked a 106GB archive of stolen documents on its Tor data leak site.

ShinyHunters is a well-known name in the cybercriminal ecosystem. The group is associated with a broader loosely connected network often referred to as “the Com,” made up largely of young, English-speaking individuals. Their operations typically focus on stealing data from large organizations and using leak sites to pressure victims into paying ransoms in cryptocurrency.

ShinyHunters has recently targeted major companies and organizations, leaking data when ransom demands fail. Victims include the European Commission, Odido, Figure, Canada Goose, Rockstar, and SoundCloud. The group primarily uses social engineering, especially voice phishing, to steal credentials and access SaaS platforms like Salesforce, Okta, and Microsoft 365. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Vimeo)

In a significant supply chain security incident, the popular video hosting platform Vimeo has confirmed a data breach that exposed user information.

Discovered in April 2026, the breach exposed 119,000 unique email addresses and other metadata.

The incident highlights the growing risks associated with third-party service providers, as the compromise did not occur directly on Vimeo’s infrastructure but rather through an analytics vendor.

The notorious extortion group known as ShinyHunters claimed responsibility for the attack.

They added Vimeo to their public extortion portal as part of an aggressive “pay or leak” campaign.

Following the initial threat, the threat actors published hundreds of gigabytes of stolen data online.

Google Threat Intelligence has also released a report detailing the expansion of ShinyHunters’ software-as-a-service data theft operations, directly associating the threat group with this specific vendor compromise.

Vimeo Data Breach

While the sheer volume of leaked data is massive, the contents primarily consist of technical records rather than highly sensitive financial information.

The exposed databases contained video titles, system metadata, and technical logs.

However, the most concerning aspect for users is the exposure of 119,000 unique email addresses, which were sometimes accompanied by user names.

Data breach notification service Have I Been Pwned analyzed and added 119,200 accounts to its database, noting 56% were already exposed in prior breaches.

Cybercriminals frequently use this type of personal information to launch targeted phishing campaigns or credential stuffing attacks across other platforms.

Vimeo has stepped forward to reassure its user base regarding the limitations of the breach.

According to their official security advisory, the unauthorized access did not compromise actual Vimeo video content.

Furthermore, the company confirmed that valid user login credentials, passwords, and payment card information remain entirely secure.

The incident also did not disrupt Vimeo’s core systems or daily hosting services, meaning platform operations continue to function normally without interruption.

The root cause of the data exposure stems from Anodot, a third-party analytics vendor used by Vimeo and several other organizations.

The threat actors breached Anodot’s systems, gaining unauthorized access to specific Vimeo customer data stored in the analytics environment.

This indirect compromise underscores the critical importance of monitoring vendor security and managing data access permissions within integrated enterprise supply chains.

Upon discovering the unauthorized access, Vimeo’s security team immediately initiated its incident response protocols.

The company promptly revoked all Anodot credentials and completely removed the vendor’s integration from Vimeo’s internal systems to prevent further data exfiltration.

Additionally, Vimeo engaged external third-party cybersecurity experts to assist with a comprehensive forensic investigation.

The company has also notified relevant law enforcement agencies and stated that it will continue to monitor the situation and update users as the ongoing investigation progresses.

Security experts strongly recommend that affected Vimeo users implement precautionary measures.

Even though passwords were not exposed, individuals should remain highly vigilant against incoming communications.

Threat actors often leverage exposed names and email addresses to craft highly convincing phishing messages designed to steal passwords or deploy malware.

Users are encouraged to use a reputable password manager to generate and store strong, unique passwords for all their online accounts, ensuring that a breach on one platform does not compromise another.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Vimeo Data Breach Exposes 119,000 Users Unique Email Addresses appeared first on Cyber Security News.

The post Conti Ransomware Leader Sentenced for Pediatric Extortion and Global Terror appeared first on Daily CyberSecurity.

Instructure, maker of the Canvas learning platform, is investigating a cyber incident that exposed users’ personal data.

Instructure is a U.S.-based educational technology company best known for developing Canvas, one of the world’s most widely used learning management systems (LMS). 

The U.S. firm confirrmed a cybersecurity incident that exposed users’ personal information. The company is working with external cybersecurity experts and law enforcement to investigate the breach. Canvas is widely used by schools and universities to manage courses, assignments, and online learning, raising concerns about student and staff data security.

The company says the security incident appears to be contained while investigations continue. Instructure revoked privileged credentials and access tokens, deployed security patches, rotated some keys as a precaution, and increased monitoring across systems.

“Out of an abundance of caution, we rotated certain keys, even though there is no evidence they were misused – Implemented increased monitoring across all platforms.” reads the Incident Report. “While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users. At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.”

So far, the exposed data likely includes user identifiers such as names, email addresses, student ID numbers, and some user messages. The company states that there is currently no evidence that passwords, dates of birth, government IDs, or financial data were affected.

The educational technology firm continues to monitor the situation and will notify institutions if new findings emerge, while updating its status page and working to strengthen system security.

Instructure did not share details about the attack, however, the ShinyHunters extortion group claimed responsibility for the attack and added the company to its Tor data leak site.

“Nearly 9,000 schools worldwide affected. 275 million individuals data ranging from students, teachers, and other staff containing PII. Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other PII. Your Salesforce instance was also breached and a lot more other data is involved. Pay or Leak.” the group wrote on its leak site. “This is a final warning to reach out by 6 May 2026 before we leak along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline.,” reads the data leak site.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

It is always a bit jarring when the "digital locksmiths" are the ones getting their locks picked. Cybersecurity firm Trellix on Saturday confirmed it suffered a breach involving its internal source code repositories, proving that even the defenders aren't immune to the threats they fight.

The Incident

On May 2, Trellix released a statement confirming that unauthorized parties had gained access to sections of their internal code. Upon discovering the intrusion, the company initiated a standard response protocol. They hired external security experts to map the extent of the breach and informed relevant authorities immediately.

Trellix maintains that there is no evidence their software distribution channels were compromised or that any leaked code has been used in active attacks.

While the "all clear" on product safety is a relief, several questions remain. Trellix has yet to identify the threat actors, the duration of the unauthorized access, or the specific volume of data stolen.

Also read: Russia’s Digital Military Draft System Hit by Cyberattack, Source Code Leaked

The High Stakes of Security Code

A breach at a firm like Trellix—born from the merger of McAfee Enterprise and FireEye—carries more weight than a standard data leak. Because Trellix provides Endpoint Detection and Response (EDR) and XDR services to governments and global banks, their source code is a roadmap for attackers.

Why Source Code is a Target:

1. Vulnerability Research: Having the code allows hackers to hunt for "zero-day" flaws without having to guess how the software works.

2. Supply Chain Risk: If an attacker can inject malicious code into a trusted update, they can compromise thousands of customers at once.

3. Bypassing Defenses: Knowing how a security tool "thinks" makes it much easier for malware to stay invisible.

A Growing Trend in Tech

Trellix is far from the first titan to be targeted. They join a list of major players like Microsoft, Okta, and LastPass, all of whom have dealt with source code theft in recent years. This pattern suggests that sophisticated actors (whether cybercriminals or nation-states) are increasingly focused on the "keys to the kingdom."

For now, there isn't a "fire drill" for Trellix users. Since there is no proof of tampered software, the immediate risk remains low. Trellix has promised to be transparent as their investigation concludes. Until then, the industry is left waiting to see if this was a simple smash-and-grab or the opening move of a much larger campaign.

Instructure confirms a Canvas breach involving user information and messages as hackers claim 275M users and nearly 9,000 schools were affected.

The post Canvas Breach May Put 275M Users, 9,000 Schools at Risk appeared first on TechRepublic.

An anti-ICE website, GTFO ICE, linked to Miles Taylor, is accused of exposing the personal details of 17,662 activists, sparking concerns that the data may have reached government agencies.

An exploration of the shift from reactive "assume breach" mentalities to AI-driven prevention, highlighting how Domain-Specific Language Models (DSLMs) empower security architects to eliminate configuration drift and tool sprawl.

The post AI for Security Infrastructure: Rebalancing Cybersecurity for the Decade Ahead  appeared first on Security Boulevard.

What happened Frost Bank, San Antonio’s largest bank, is facing two proposed class-action lawsuits following a cyberattack attributed to the Everest ransomware group that allegedly exposed the sensitive personal data of an estimated 109,000 customers. The bank has not publicly confirmed the scope of the breach or reported it to the Texas Attorney General’s Office, […]

The post Frost Bank Hit With Class-Action Lawsuits Over Data Breach Affecting More Than 100,000 Customers appeared first on CISO Whisperer.

The post Frost Bank Hit With Class-Action Lawsuits Over Data Breach Affecting More Than 100,000 Customers appeared first on Security Boulevard.

What happened A cybersecurity incident in late April 2026 targeted Sistemi Informativi, an Italian company wholly owned by IBM Italy that provides IT infrastructure management for public agencies and key private sector organizations. IBM confirmed the breach through an official statement, acknowledging it had identified and contained a cybersecurity incident and activated incident response protocols […]

The post Salt Typhoon Suspected in Breach of IBM Italy Subsidiary Managing Public Infrastructure appeared first on CISO Whisperer.

The post Salt Typhoon Suspected in Breach of IBM Italy Subsidiary Managing Public Infrastructure appeared first on Security Boulevard.

Here's a tip for you all. Unless you want to draw attention to yourself as a cybercriminal, don't flaunt your diamond-encrusted "HACK THE PLANET" necklace on Snapchat, or pose as a Sopranos crime boss while the FBI is reportedly closing in. Read more in my article on the Hot for Security blog.