Congratulations to the New York Knicks, who in June won their first NBA title since 1973.
Just one week later, the ShinyHunters group published a trove of data stolen from their home arena, Madison Square Garden. Some 45GB of files were dropped, containing millions of records that reportedly include personal customer information and references to players and coaches.
But the Knicks and their fans were just one of the group’s many victims—including Canvas and Kodak—revealed in this period.
They tip off our cybersecurity trends and news updates from mid-April to mid-June 2026.
Included this time out: big breaches and the downstream fallout, the Fortinet and Foxconn campaigns, continued open-source software malware attacks, CISA giving three days to patch, CISO pressures, more (and more realistic) scams, and our AI update, from the arrival of the Mythos-driven patches to Meta’s leaky AI to the AI-driven spike in cybersecurity demand.
Cybersecurity Breach News from April–June 2026
The Knicks breach wasn’t the biggest cybercrime story from the ShinyHunters group from this period. That title goes to Instructure’s Canvas, a learning management system with more than 30 million active global users. It’s also used by thousands of schools and universities across the US.
The company disclosed unauthorized access and data theft and put the platform into “maintenance mode” in early May (while working with the FBI and CISA), causing maximum chaos just as many school years were coming down to the wire and colleges were starting final exams.
The hackers claimed 8,800 schools impacted, with 275 million stolen records of user data. They also launched a second wave of attacks that defaced many school Canvas portals, including at Harvard, where a message from hackers was displayed with the deadline before data would be released.
Instructure attributed the vulnerability to a support ticketing system but reached an agreement to pay the ransom.
The hackers claimed all data was destroyed and users wouldn’t be targeted for further ransom, but security experts warn there is no guarantee, and that this success will only embolden more attacks at scale.
The ShinyHunters group was also tied to recent breaches including 7-Eleven, Kodak, Madison Square Garden, a key European human rights organization, and an Oracle PeopleSoft campaign detailed by Google Mandiant that is also targeting higher education.
The ShinyHunters name has been used extensively since 2020 and is one of several under a broader collective known as the Com. It’s believed that this current iteration is also connected to the ScatteredLapsus$Hunters group we’ve reported on in prior editions.
Allison Nixon, Chief Research Officer at cybersecurity firm Unit 221b, noted that Com-based groups often use varying tactics to get ransoms paid, including incorporating DDoS attacks, flooding companies with emails and calls, and even threatening executives and their families.
But she added that the group also often uses old or recycled data to pad their claims, in comments to Wired.
Hardware hacks complicate data breach prevention
News broke in June of the potential compromise of around 80,000 Fortinet firewall/VPN devices globally in what’s been dubbed the FortiBleed campaign.
Affecting devices in 194 countries (heavily concentrated in NATO nations)—including Fortune 500 companies and government agencies—this is an active breach that is believed to have been running since at least February 2026.
Fortinet noted this is not a new vulnerability and is not tied to a recent advisory. The attackers appear to be reusing credentials from prior incidents and brute-forcing devices with weak password hygiene and no MFA using automation running around the clock.
In June, CISA advised Fortinet customers that may have been impacted to terminate sessions and reset credentials, follow Fortinet’s guidance to ensure secure credential storage, lock down management access and enable MFA, and review logs for unexpected behavior.
The world’s largest electronics manufacturer, Foxconn, produces components for companies including Apple, Nvidia, Google, Dell, and Intel, and they were also the victim of cybercrime in this period.
The company suffered a ransomware attack in May which impacted work at some North American factories (including its Wisconsin plant which experienced a multi-day outage).
The attack was credited to the Nitrogren group, which claimed the theft of some 8TB of data containing more than 11 million documents, including confidential instructions, drawings, and system details.
Open source security risks and vulnerability management
We wrote last time out about TeamPCP’s wave of open-source supply chain attacks.
These continued in this period, with updates breaking on another worm (the “Mini-Shai-Hulud”) and newly discovered exploited Linux vulnerabilities.
TanStack npm compromise targets AI developers
TanStack disclosed that 84 malicious versions of their npm packages had been published within a six-minute window, largely targeting AI developer tooling. This malware executes during npm install and harvests AWS, GPC, Kubernetes, GitHub, and SSH credentials for self-propagation.
OpenAI was among the firms impacted, with two employee devices compromised, though the company stressed that no user data was compromised. They detected unauthorized access of internal source code repositories and theft of credentials.
Additional open-source packages from UiPath, Mistral AI, OpenSearch, and Guardrails AI
The TeamPCP group is believed to have carried out as many as 20 waves of supply-chain attacks, hiding malware in more than 500 software projects and infecting hundreds of organizations.
This malware in some cases can survive reboots and re-executes its stealer whenever the IDE is launched.
Linux Copy Fail vulnerability
While not a malware attack, Copy Fail is an exploited Linux vulnerability that allows unauthorized privilege escalation.
It impacted major Linux distributions (including Debian, Ubuntu, SUSE, and Red Hat Enterprise Linux), was discovered in late April, and got added to CISA’s Known Exploited Vulnerabilities (KEV) catalog in May.
As reported by Ars Technica’s Dan Goodin, the vulnerability threatens multi-tenant servers, CI/CD workflows, Kubernetes containers, and more.
Security experts are calling it one of the “worst make-me-root vulnerabilities in the kernel in recent times,” with all Linux users advised to investigate their systems immediately if they have not already done so.
Companies using potentially vulnerable Linux distributions should check their respective vendors for patches.
Dirty Frag adds another Linux vulnerability to the mix
Just a week after Copy Fail, another severe Linux vulnerability broke that enabled hackers to gain root privileges. Again impacting numerous major distributions, the exploit code was leaked online, and Microsoft reported evidence that hackers were already exploiting it by mid-May.
Their researchers noted this vulnerability was extremely consistent, while researchers from Google’s Wiz called the risk significant for virtual machines or less-redistricted environments, though containerized environments like Kubernetes would be harder to exploit with their default security settings.
Again, users are encouraged to patch ASAP if they haven’t already.
Data dumps, lawsuits, and other breaches in the news
Return-to-office may also be coming to cybercrime.
Wired reported at the end of May on a wave of ransomware attacks that are sending people to physically steal data from office locations.
The FBI has warned that the Silent Ransom Group (SRG) is targeting law firms by getting freelancing operatives (who may not even know who they’re working for) to directly access firm computers where they exfiltrate data onto external drives in their possession.
Other stories from the period included:
- Multinational pharmaceutical company Novo Nordisk (maker of products including Ozempic and Wegovy) has confirmed a breach from March that reportedly extracted some 1.3TB of clinical trial data including drug research, source code, employee records, and AI assets. After refusing to pay a reported $25 million ransom, hackers announced in June they were selling the data privately (Cybernews).
- The Straight Arrow News reported on an alleged ransomware hit of Minnesota’s MyPillow, with the group threatening the release of data including “private and personal confidential data, clients’ documents, budget, payroll, IDs, taxes, finance information and etc.” The company has denied the breach.
- An ex-IBM cybersecurity official has filed suit against IBM and AT&T, claiming the companies failed to report data breaches from multiple foreign hacking incidents. The suit alleges the companies covered-up the incidents to avoid losing large federal contracts, though IBM has denied it broke the law (Bloomberg).
- Claims are due by the end of June to be part of a $1.6 million Krispy Kreme data breach settlement, stemming from a November 2024 incident (Yahoo Finance).
- Verizon released its annual Data Breach Investigation Report (DBIR), and this year’s highlights an increase in system intrusions (now 61% of breaches), continued growth in ransomware (up to 48% of all breaches) but a decrease in ransoms paid (69% didn’t). As our banner stat proclaims, it also charts a large rise in breaches that have third-party involvement (60% higher than the year prior), showcasing the continued importance of choosing reliable, secure partners in the age of AI.
Cybersecurity Threat Intelligence Updates: Scams and Fraud
Scams and fraud are only continuing to surge, including in hiring, as we covered in a recent PTP Report on fake candidates and AI cheating.
FTC data released in late April showed that in 2025 social media scams alone cost Americans nearly $2.1 billion. This is part of a staggering eightfold increase since 2020, and is the method used most for targeting consumers.
Overall, cyber-powered crimes cost Americans around $21 billion. The FBI’s 2025 IC3 report included a section on AI-specific fraud for the first time, and it recorded $893 million in damages.
Scam emails, meanwhile, continue getting better, as are fake/AI-cloned retail sites, voice clones, and even real-time identity manipulations (The New York Times).
A few specific kinds of scams drew particular attention in this period:
- Fake podcasts are popping up everywhere, with Spotify’s search ranking getting overwhelmed by tens of thousands of them. A congressional report criticized the company for acting only after extensive pressure, with the scammers funneling people to bogus websites through links in descriptions and cover art. Spotify has since removed some 57,000 episodes, with action taken against 3,500 accounts tied to drug-related content (Wired).
- Fake podcast invitations are also being used to hook even savvy professionals. Recent posts on social media detail scams like these, where fraudsters come having researched popular targets and even conduct legit initial interviews. At some point a request is made to download software for the interview or have the target enter passwords or provide key data, and afterwards, all fake profiles get deleted. (The fake podcast may or may not ever end up being recorded.)
- Hotel reservation scams demonstrate another way real data is being used to fool targets, in some cases even compromising hotel systems themselves. In these scams, people are targeted using actual, active reservations, with messages that look real and may come through real channels. These scams send users to fake websites to enter data or to request direct payments. Norton/Gen researchers reported on this kind of attack in May, powered by data that may have been stolen from Booking dot com (revealed in April).
- Google often uses lawsuits in their battle against cybercriminals, and in June the company joined forces with AT&T, T-Mobile, Verizon, and the FBI in its suit of a Chinese-based network the company alleges used their AI models in a phishing-as-a-service kit. This kit allowed criminals to quickly build scam websites that convincingly impersonate telecom, banks, retailers, government agencies, and more. Google found the network sent 2.5 million messages to Android users in one two-week period, with the FBI reporting the platform has enabled an estimated $1.9 billion in losses since 2023 (The New York Times).
AI Cybersecurity Threats and Updates
AI-powered cyber risks headlined Berkshire-Hathaway’s shareholder annual meeting in early May, when recently retired CEO Warren Buffett appeared on a video to address the new CEO Greg Abel.
Only, he didn’t really.
The call was a deepfake the company produced without any input at all from Buffett (no voice, no image, no content) using publicly available media. It was done to draw awareness to the deepfake threat companies are now facing and the growing importance of cybersecurity.
We often spotlight AI contributions from The Wharton School’s Ethan Mollick, and in May he was part of a team from the University of Pennsylvania and Arizona State that released research showing how LLMs are suspectable to many of the same persuasion techniques (Cialdini’s “Principles of Influence”) as humans.
Their work demonstrates that AI systems are more likely to comply with objectionable requests using such methods (51% vs 35%).
And while this may not classify as “jailbreaking” an AI, that topic is now front-and-center in renewed conflicts between Anthropic and the US government over its Mythos and adapted Fable 5 models.
Citing security concerns, Anthropic was forced to withdraw the wider release of the newly released model and suspend access of Mythos to foreign nationals. (As we reported in our last AI news roundup, Project Glasswing’s Mythos access had expanded to another 150 organizations.)
In response, cybersecurity researchers, academics, and AI and business leaders have signed an open letter to the administration asking for an “open, scientific, and transparent process” for handling AI risk assessments that can help security teams keep pace.
And now international intelligence agencies have issued a rare joint warning about the threat of the most powerful AI models.
The Five Eyes intelligence grouping (the US, UK, Canada, Australia, and New Zealand) is warning governments and businesses to “act now” to shore up their cybersecurity, noting that frontier models are rapidly exceeding industry expectations.
“The timeline is not years, it is months,” their statement from late June reads. They encourage companies to integrate AI into security to help detect vulnerabilities, improve software quality, monitor, and respond more quickly to incidents.
Updates in this space include:
- The wave of Mythos-assisted patches is also here, as reported in May by KrebsonSecurity. Companies like Apple, Google, Microsoft, Mozilla, and Oracle have increased the pace of their releases while patching “near record volumes” of security issues, like the 167 flaws addressed by Microsoft, 52 vulnerabilities addressed by Apple (including backporting to older iOS and iPhones), 271 patches by Firefox, 450 flaws resolved by Oracle, and Google Chrome’s 127 (up from 30 the prior month).
- Leading cybersecurity firm Palo Alto Networks discovered 75 vulnerabilities in its own products, or seven times the usual number, with Chief Product and Technology Officer Lee Klarich predicting companies have just three-to-five months to get ahead of a coming surge in AI-assisted attacks (Axios).
- Google uncovered a criminal hacking effort using previously unknown bugs. They believe the actor used AI to discover and weaponize the vulnerability. Google Threat Intelligence Group Chief Analyst John Hultquist called this just “the tip of the iceberg” (The New York Times).
- As longtime security engineer and researcher Niels Provos told Wired: “You can’t patch your way out of this. You need to build infrastructure that makes as many bugs as possible irrelevant.”
- CISA in June released a new directive requiring government-affiliated agencies to rapidly accelerate patching due to the AI risk. The requirements use a provided table, but in most cases of publicly exposed KEV risks, it allows for just three days to apply updates.
How is AI changing cyber attacks and cyber defense?
At the same time that AI models are sounding the alarm for governments and businesses around the world, vibe-coded apps are exposing too much personal data.
Security researcher and Co-Founder of RedAccess Dov Zvi analyzed thousands of vibe-coded web applications and found that 5000 had virtually no (or no) security, and that 40% exposed sensitive data, including medical information, financial data, corporate presentations and strategy documents, and detailed logs of customer conversations.
Researchers are also continuing to find ways to use AI to boost cyberattacks, and in June, a team from the University of Toronto discovered how to use AI to create a worm capable of targeting any known flaw in global systems and continuing without human interaction.
Based on 2017’s WannaCry, their worm (running on Windows or Linux) uses AI to tailor a new attack for every machine it encounters.
And while the team redacted critical details, it was created using open-source and open-weight models, not the most advanced systems like Mythos.
But as another University of Toronto professor not involved in the worm, David Lie, told the New York Times, this technology cuts both ways.
“One can modify the worm so that it fixes the vulnerabilities it finds.”
Several high-profile Instagram accounts were hijacked in this period by tricking the Meta AI Support Assistant to add a new email address to the account.
This method was especially noteworthy because it didn’t require access to an account’s linked email address. The AI agreed to change passwords using only a newly provided email address.
And while Meta announced it had patched the flaw, the number of compromised accounts remains unknown.
How Can Companies Prevent Data Breaches in 2026?
At this point in the article, it’s probably not a surprise that many major cybersecurity firms are doing a bustling trade.
Yahoo Finance reported at the end of May on the surge in value of CrowdStrike (up 45% in a month), Palo Alto Networks (up 40%), and SailPoint (up 41%), as examples.
This trend is still ongoing, as is the demand for cybersecurity experts. Cybersecurity job postings in the first quarter were up 11%, per Glassdoor. Hitch Partners noted they’ve seen a five-to-sevenfold increase in demand since the fall.
And as another firm told the New York Times’s Kate Conger: “Roles that typically come along ever 12 months, we’re seeing those roles come along every week.”
As Chief Information Security Officer at LinkedIn Lea Kissner noted, the market “for security people is getting hotter and hotter.”
“AI has just made us busier. This is true for every single security person I know.”
Conclusion
That ends our coverage of the major cybersecurity stories from mid-April to mid-June 2026.
So, what cybersecurity best practices should businesses implement today?
If this is a question your company is asking, PTP is here to help. We’ve got access to the cybersecurity professionals who can help you keep up with the risks.
And to catch up on more recent cybersecurity news, check out our last three roundups here:
Until next time, stay patched, don’t download anything unknown, and have a great summer!
References
Hackers Publish Knicks and Madison Square Garden Data Online, 404 Media
Maker of Canvas Learning Platform Strikes Deal for Hackers to Return Data, Scientists Find Way to Supercharge Dangerous Computer ‘Worms’ With A.I., and One Job That Is Growing in the A.I. Era? Cybersecurity Experts., The New York Times
ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit, Google Mandiant Threat Intelligence
FortiBleed 2026: The Compromise of 86,644 Fortinet FortiGate Firewalls and Credential Leak, SOCRadar
CISA Urges Hardening Fortinet Devices After Reports of Credential Exposure, CISA
The Canvas Hack Is a New Kind of Ransomware Debacle, Security News This Week: Cybercrime Crew Claims It Hacked Mike Lindell’s MyPillow, and Thousands of Vibe-Coded Apps Expose Corporate and Personal Data on the Open Web, Wired
Foxconn confirms cyberattack claimed by Nitrogen ransomware gang, Bleeping Computer
Novo Nordisk hackers turn to private sale after Ozempic maker refuses $25M ransom demand, Cybernews
OpenAI says hackers stole some data after latest code security issue and Hackers hijacked Instagram accounts by tricking Meta AI support chatbot into granting access, TechCrunch
Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages, The Hacker News
The most severe Linux threat to surface in years catches the world flat-footed and Linux bitten by second severe vulnerability in as many weeks, Ars Technica
Bizarre moment at Berkshire’s annual meeting spotlights cyber risk, Yahoo Finance
Persuading large language models to comply with objectionable requests, PNAS (123 (21) e2535868123)
AI could breach government and business defenses in months, US and its intelligence partners warn, CNN
Patch Tuesday, May 2026 Edition, KrebsonSecurity
