A mid-year 2026 roundup of the ten CVEs and incidents every blue team should already have patched, hunted, and built detections for — from CitrixBleed 3 to FortiBleed.
Who Actually Is ShinyHunters? Inside Cybersecurity's Messiest Attribution Fight of 2026
If you've followed cybersecurity headlines at all in the first half of 2026, you've seen the name ShinyHunters attached to an almost absurd number of breaches: Salesforce customers across more than a thousand organizations, Canvas/Instructure, Oracle PeopleSoft servers, SoundCloud, Grubhub, Panera Bread, Carnival, ADT, Charter, Kemper, McGraw-Hill, Rockstar Games, Telus, even the European Commission.
The Canvas Ransom: Why Instructure's Decision to Pay ShinyHunters Reopened Cybersecurity's Oldest Argument
Few debates in cybersecurity are as old, or as unresolved, as whether organizations should ever pay a ransom to the criminals who attacked them. In May 2026, that debate found a new and uniquely uncomfortable test case: Instructure, the company behind Canvas, the learning management system used by thousands of schools and universities across the US, UK, Canada, and Australia.
When Washington Pulled the Plug on Claude: Inside the Anthropic Export Control Fight
If you wanted a single news story to capture everything chaotic, unresolved, and high-stakes about cybersecurity in the AI era, the abrupt shutdown of Anthropic's Claude Fable 5 and Claude Mythos 5 in June 2026 is it. In the space of one Friday evening, the U.S.
