TanStack, Mistral AI, UiPath Hit in Fresh Supply Chain Attack
More than 170 NPM and PyPI packages were compromised in a new Mini Shai-Hulud supply chain campaign affecting TanStack, Mistral AI, UiPath, OpenSearch, Guardrails AI, and other projects. The malware targets developer credentials, API keys, cloud secrets, tokens, cryptocurrency wallets, and AI-related secrets, then attempts to spread through compromised NPM and GitHub Actions tokens. This matters because the attackers abused trusted build and release pipelines, which makes provenance and signed packages less useful if the underlying CI/CD workflow is already compromised.
SAP fixes critical vulnerabilities in Commerce Cloud and S/4HANA
SAP released its May 2026 security updates, fixing 15 vulnerabilities across multiple products, including critical flaws in Commerce Cloud and S/4HANA. One Commerce Cloud issue could allow unauthenticated code execution, while a critical S/4HANA flaw could let low-privileged attackers perform SQL injection and access sensitive database information. SAP says it hasn’t seen exploitation so far, but these systems often sit in business-critical retail, ERP, and financial workflows, so teams should prioritize patching and monitor for suspicious administrative or database activity.
Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak
Instructure said it reached an agreement with the group behind the Canvas breach to prevent the leak of stolen data affecting thousands of schools and universities. The company said the agreement covers impacted customers, that the data was returned, and that it received digital confirmation of destruction, though there’s never full certainty when dealing with extortion actors. This is a meaningful update because the incident has moved from breach response into downstream risk management, including phishing risk for students, staff, parents, and institutions whose data may have been exposed.
UK water firm fined £1M after running Windows Server 2003
The UK Information Commissioner’s Office fined South Staffordshire Water and its parent company £963,900 after attackers maintained access for 20 months and later published data belonging to more than 633,000 people. The regulator cited weak monitoring, unpatched systems, administrator-level access gained by attackers, and obsolete software, including Windows Server 2003. This matters for critical infrastructure operators because it shows how basic control failures can create long dwell time, large-scale data exposure, regulatory penalties, and public trust issues even when operational systems remain safe.
Android banking Trojan TrickMo evolves using TON network for C2
ThreatFabric researchers found a new TrickMo Android banking trojan variant that moved command-and-control traffic to The Open Network, making detection and takedown harder because it doesn’t rely on normal DNS and public internet infrastructure. The malware can steal banking and cryptocurrency credentials, intercept SMS codes, record screens, remotely control infected devices, and now perform network probing and proxy activity through the victim’s device. This matters because compromised phones can become fraud tools, MFA bypass points, and network pivot infrastructure, not just credential theft devices.
The post InfoSec News Nuggets 05/12/2026 appeared first on AboutDFIR – The Definitive Compendium Project.
