IT, Telecom & Cyber · International (Houston)

Reassess LMS and Endpoint Contracts After Recent Security Events

Published May 4, 2026, 5:05 AM CSTINTERNATIONALFull category signal
Ask AI
Instructure confirms data breach, ShinyHunters claims attack

In 60 seconds

Top move

Confirmed data theft at a major hosted LMS (Canvas) raises immediate need to map which contracts, tenants, and integrations are exposed so buyers can coordinate notifications and forensics

Key takeaways

  • Confirmed data theft at a major hosted LMS (Canvas) raises immediate need to map which contracts, tenants, and integrations are exposed so buyers can coordinate notifications and forensics.[3]
  • A Microsoft Defender signature mistakenly removed DigiCert root certificates from some Windows trust stores, creating real availability and code‑verification risk that requires supplier remediation confirmation.[4]
  • Researchers show Telegram Mini Apps are being abused to host phishing pages and push Android APKs inside the app, increasing third‑party integration and endpoint compromise risk for suppliers that use in‑app webviews.[5]
  • Five Eyes guidance on ‘agentic’ AI recommends fail‑safe defaults, human escalation, and stronger supplier testing — procurement should prepare contract and acceptance test language for agentic AI offerings.[2]
  • Analysis of publicly available voter records shows how easy linkage attacks are; relevance to procurement is limited but identity‑proofing and data‑matching suppliers should be checked for exposure.[1]

What changed since last run

  • Added confirmed Instructure data‑breach reporting, which changes incident response exposure for hosted LMS contracts (article 2).
  • Added Microsoft Defender/DigiCert false‑positive that introduced CA/trust‑store availability risk and supplier remediation needs (article 1).
  • Added Telegram Mini Apps abuse report showing in‑app webview phishing and APK delivery vectors for supplier integrations (article 4).

Key facts

  • Vendor confirms personal information of users was exposed
  • Company engaged third‑party cybersecurity experts and law enforcement
  • Threat actor claims dataset covers a broad set of institutions
  • False positives appeared after a Defender signature update
  • Affected certificates were removed from the Windows AuthRoot store on impacted systems
  • Microsoft issued a fixed Security Intelligence update and advised updating

Why it matters

Confirmed data theft at a major hosted LMS (Canvas) raises immediate need to map which contracts, tenants, and integrations are exposed so buyers can coordinate notifications and forensics. A Microsoft Defender signature mistakenly removed DigiCert root certificates from some Windows trust stores, creating real availability and code‑verification risk that requires supplier remediation confirmation. Researchers show Telegram Mini Apps are being abused to host phishing pages and push Android APKs inside the app, increasing third‑party integration and endpoint compromise risk for suppliers that use in‑app webviews. Five Eyes guidance on ‘agentic’ AI recommends fail‑safe defaults, human escalation, and stronger supplier testing — procurement should prepare contract and acceptance test language for agentic AI offerings

Cost / money

  • Hosted LMS incidents will shift near‑term incident response and notification costs onto buyers unless contracts specify supplier-paid forensic support or clear pass‑through rules.[3]
  • CA/trust‑store outages from AV false positives create emergency remediation spend (rollback, service restores, testing) that suppliers may seek to recover via change orders or pass‑through clauses.[4]

Supplier / commercial

  • LMS and hosting suppliers will face pressure to accept faster notification SLAs, defined forensic cooperation, and indemnities at renewal; buyers gain leverage to demand these terms.[3]
  • Endpoint, PKI, and managed‑security vendors may resist liability for AV signature actions; expect negotiation over contract scope, uptime dependency, and recovery cost allocation.[4]

Safety / operations

  • Removal of trusted root certificates can break TLS validation and code‑signing checks, creating immediate uptime incidents and manual recovery tasks for operations teams.[4]
  • In‑app phishing and APK distribution via Telegram Mini Apps raise the likelihood of endpoint compromise through supplier integrations, meaning endpoint protections and managed device controls may be insufficient alone.[5]

What to watch

  • Watch for additional data postings or targeted extortion tied to the Instructure incident — expanded releases would increase legal and notification obligations for affected buyers.[3]
  • Watch for further AV signature churn or similar CA‑related false positives that could affect other roots or reintroduce trust‑store changes during signature rollouts.[4]

Top stories

Story 1BleepingComputerMay 3, 2026

Instructure confirms data breach, ShinyHunters claims attack

Signal strongSource-grounded
Source notes [3]Read source

What happened

Instructure confirmed a cyber incident and says personal information of users at affected institutions was exposed while an extortion group claims responsibility. The company is working with third‑party cybersecurity experts and law enforcement and reports the dataset spans a large number of institutions; procurement should watch notification scope and whether the supplier revises incident‑response commitments and forensic cooperation

Buyer takeaway

Map hosted LMS instances and force supplier commitments for notification timelines and forensic access so buyers aren’t left covering response work

Cost / money

Expect near‑term allocation of incident response and communications costs if contracts don’t require supplier‑paid support

Supplier / commercial

Use the incident to push for indemnity, faster notification SLAs, and supplier‑funded forensics during renewals and amendments

Safety / operations

Ops teams will need coordinated log access, shared forensic plans, and account review workflows with the supplier

What to watch

Watch for additional data postings or targeted extortion that expand notification obligations

Key facts

  • Vendor confirms personal information of users was exposed
  • Company engaged third‑party cybersecurity experts and law enforcement
  • Threat actor claims dataset covers a broad set of institutions

Source excerpts

" Instructure listed on ShinyHunters data extortion site ShinyHunters claimed that the data was stolen from Instructure via a vulnerability in their systems, which has now been patched. This data allegedly consists of over 240 million records tied to students, teachers, and staff
Educational tech giant Instructure has confirmed that data was stolen in a cyberattack, with the ShinyHunters extortion gang claiming responsibility. Instructure is a U
Your Salesforce instance was also breached and a lot more other data is involved. " Instructure listed on ShinyHunters data extortion site ShinyHunters claimed that the data was stolen from Instructure via a vulnerability in their systems, which has now been patched
Story 2BleepingComputerMay 3, 2026

Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha

Signal strongSource-grounded
Source notes [4]Read source

What happened

Microsoft Defender falsely flagged legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha and, on affected systems, removed those roots from the Windows trust store. Microsoft pushed a fixed security intelligence update and advised administrators to update; buyers should verify managed‑endpoint suppliers applied the fix and check whether any services relying on OS trust chains need remediation

Buyer takeaway

Confirm endpoint and PKI suppliers applied the remediation and identify which services rely on OS trust chains so you can prioritize recovery

Cost / money

Emergency remediation, rollback, and service restores create near‑term operational spend that may be disputed with suppliers

Supplier / commercial

Clarify contractual responsibility for AV‑signature driven trust‑store changes and consider adding pass‑through rules for remediation costs

Safety / operations

Trust‑store removals can break TLS and signed‑tooling checks, requiring testing and staged restores by Ops

What to watch

Watch for additional signature rollouts that could affect other CA roots or reintroduce trust issues

Key facts

  • False positives appeared after a Defender signature update
  • Affected certificates were removed from the Windows AuthRoot store on impacted systems
  • Microsoft issued a fixed Security Intelligence update and advised updating

Source excerpts

It should be noted that the certificates flagged by Microsoft Defender are root certificates in the Windows trust store and do not match the revoked DigiCert code-signing certificates used to sign malware
A! dha" False PositiveSource: Reddit Microsoft has reportedly fixed the detections in Security Intelligence update version 1
Today, administrators worldwide began reporting that DigiCert root certificate entries were flagged as malware and, on affected systems, removed from the Windows trust store. According to a Reddit post about the false positives, the detected certificates are: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 On impacted systems, these certificates were removed from the AuthRoot store under this Registry key: HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\ These
Story 3BleepingComputerMay 3, 2026

Telegram Mini Apps abused for crypto scams, Android malware delivery

Signal strongSource-grounded
Source notes [5]Read source

What happened

Researchers uncovered a large fraud operation using Telegram Mini Apps to present phishing pages inside the app and to distribute Android APKs and progressive web apps. The campaigns use a shared backend to impersonate brands and push convincing in‑app pages that encourage downloads; procurement should require evidence of mitigation for any supplier that uses in‑app webviews or messaging‑platform integrations

Buyer takeaway

Treat messaging‑platform integrations as supply‑chain vectors requiring attestations, testing evidence, and clear incident support obligations

Cost / money

Compromised endpoints from in‑app deliveries can increase incident response and remediation costs tied to supplier integrations

Supplier / commercial

Require suppliers to supply attestations or test results for in‑app components and to participate in incident response when compromises trace to their integrations

Safety / operations

Endpoint protection and user training may not stop in‑app APK delivery; Ops should validate webview controls and managed‑device download blocking

What to watch

Watch whether campaigns escalate into targeted brand impersonations that impact customer‑facing supplier workflows

Key facts

  • Operation uses Telegram bots and Mini Apps to host phishing pages in the app’s WebView
  • Campaigns push Android APK files and progressive web apps that mimic legitimate software
  • Attackers use a shared backend to impersonate multiple well‑known brands

Source excerpts

A new report by CTM360 says the platform, dubbed FEMITBOT, is based on a string found in API responses and uses Telegram bots and embedded Mini Apps to create convincing, app-like experiences directly within the messaging platform. Telegram Mini Apps are lightweight web applications that run inside Telegram’s built-in browser, enabling services such as payments, account access, and interactive tools without requiring users to leave the app
When a user interacts with a bot and clicks "Start," the bot launches a Mini App that displays a phishing page in Telegram’s built-in WebView, making it appear as part of the app itself
Cybersecurity researchers have uncovered a large-scale fraud operation that uses Telegram’s Mini App feature to run crypto scams, impersonate well-known brands, and distribute Android malware. A new report by CTM360 says the platform, dubbed FEMITBOT, is based on a string found in API responses and uses Telegram bots and embedded Mini Apps to create convincing, app-like experiences directly within the messaging platform
Story 4GoMay 4, 2026

Five Eyes spook shops warn rapid rollouts of agentic AI are too risky

Signal moderateDirectional
Source notes [2]Read source

What happened

Five Eyes information security agencies published guidance warning that agentic (autonomous) AI systems are likely to behave unexpectedly and widen the attack surface across critical systems. The guide lists risks and hundreds of best practices, and urges vendors to bake in fail‑safe defaults and human escalation; procurement should prepare to codify these expectations into acceptance tests and contractual obligations

Buyer takeaway

Incorporate the guidance into RFPs and contract templates so suppliers must supply test evidence and fail‑safe behavior before production rollout

Cost / money

Expect procurement to shift some spend toward testing, sandboxing, and longer acceptance cycles to validate agent safety

Supplier / commercial

Vendors may resist expanded testing and acceptance terms; use staged acceptance and clear go/no‑go criteria to balance delivery risk

Safety / operations

Operational risk increases when agents have broad permissions; require human‑in‑the‑loop escalation and auditability for production agents

What to watch

Standards and testing frameworks are still immature; treat supplier commitments as directionally protective until validated by tests

Key facts

  • Guidance warns agentic AI widens attack surface and may behave unpredictably
  • Document lists 23 different risks and over 100 best practices
  • Advice calls for fail‑safe defaults and human escalation mechanisms

Source excerpts

” Until security practices, evaluation methods and standards mature, organisations should assume that agentic AI systems may behave unexpectedly The thrust of the document is that implementing agentic AI will require use of many components, tools, and external data sources, creating an “interconnected attack surface that malicious actors can exploit. ” “Consequently, every individual component in an agentic AI system widens the attack surface, exposing the system to additional avenues of exploitation,” the docum
The agencies delivered that position last Friday in a guide titled Careful adoption of agentic AI services [PDF] that opens with the observation that “Agentic artificial intelligence (AI) systems increasingly operate across critical infrastructure and defense sectors and support mission-critical capabilities,” making it “crucial for defenders to implement security controls to protect national security and critical infrastructure from agentic AI-specific risks. ” Until security practices, evaluation methods and
Much of the advice targets developers who deploy AI, but the authors also urge vendors to ensure they test their wares thoroughly and ensure their products “fail-safe by default requiring agents to stop and escalate issues to human reviewers in uncertain scenarios
Story 5GoMay 4, 2026

If the vote you rocked, your personal info can be grokked

Signal limitedDirectional
Source notes [1]Read source

What happened

Research shows public voter records can be linked with other datasets to identify or profile individuals, enabling targeting by employers, fraud rings, or foreign intelligence services. The analysis demonstrates how basic fields like phone numbers or voting history can be joined to other sources; procurement should treat this as limited‑relevance guidance and check identity‑proofing suppliers for exposure to public‑data linkage risks

Buyer takeaway

Flag identity‑proofing and data‑broker relationships for review; require suppliers to show controls for public‑data linkage risks

Cost / money

Weak identity controls can increase account‑takeover and remediation costs if suppliers rely on public datasets without mitigations

Supplier / commercial

Ask identity vendors for data provenance statements and risk mitigation commitments for public‑data joins

Safety / operations

Operations teams should validate verification flows that could be bypassed by linked public data and require stronger proofs where needed

What to watch

This is thematically relevant but limited operational immediacy; treat as a vetting item rather than an immediate emergency

Key facts

  • Researchers demonstrate high match rates between voter rolls and other public datasets
  • Examples show phone numbers and vote history can uniquely identify individuals in some counties
  • Analysis highlights how simple joins enable targeted deanonymization

Source excerpts

As a result, external datasets containing phone numbers can be joined at a similar rate using this field as a key to narrow down and identify likely individuals. Among the report's other findings: Name and ZIP code uniquely identify 95
He recommends measures like rate limits on bulk file requests, identity verification, requiring state ID, maintaining audit logs of requests, and prohibiting commercial resale of these records – because they're often used by data brokers. Beyond specific fixes based on his findings – Texas should generalize voter registration dates to a year rather than a day and armed forces mailing codes should be excluded from voter rolls – Kenney argues that people should be allowed to opt out of inclusion in public data s
And what I was looking at specifically is if you go and merge this data set or link this data set with other data sets, how likely are you to be able to re-identify a person?

VP Snapshot

Executive Risk & Action View

Confirmed data theft at a major hosted LMS (Canvas) raises immediate need to map which contracts, tenants, and integrations are exposed so buyers can coordinate notifications and forensics.

Overall
70
Cost
79
Supply
25
Schedule
20
Compliance
15

Top signals

30-180dcost

Signal 1: Cost / money

Hosted LMS incidents will shift near‑term incident response and notification costs onto buyers unless contracts specify supplier-paid forensic support or clear pass‑through rules.

Signal 2: Cost / money

CA/trust‑store outages from AV false positives create emergency remediation spend (rollback, service restores, testing) that suppliers may seek to recover via change orders or pass‑through clauses.

Signal 4: Supplier / commercial

Endpoint, PKI, and managed‑security vendors may resist liability for AV signature actions; expect negotiation over contract scope, uptime dependency, and recovery cost allocation.

30-180dcommercial

Signal 3: Supplier / commercial

LMS and hosting suppliers will face pressure to accept faster notification SLAs, defined forensic cooperation, and indemnities at renewal; buyers gain leverage to demand these terms.

0-30dsupplier

Signal 5: Safety / operations

Removal of trusted root certificates can break TLS validation and code‑signing checks, creating immediate uptime incidents and manual recovery tasks for operations teams.

30-180dsupplier

Signal 6: Safety / operations

In‑app phishing and APK distribution via Telegram Mini Apps raise the likelihood of endpoint compromise through supplier integrations, meaning endpoint protections and managed device controls may be insufficient alone.

Recommended actions

OpsDue 3d

Inventory all hosted LMS (Canvas) instances, map each to supplier, tenant owner, hosting model, and current notification SLA.

A supplier‑mapped inventory of LMS instances with contact points and SLA notes to guide incident coordination.

CategoryDue 3d

Ask endpoint, managed‑security, and PKI suppliers to confirm they applied Microsoft’s fixed security intelligence update and to provide remediation status for managed estates.

Documented supplier confirmations and remediation steps for managed endpoints and PKI services.

ContractsDue 21d

Open contract amendment talks with LMS and hosting suppliers to add explicit forensic cooperation, notification timelines, and cost pass‑through rules for data breaches.

Draft amendment positions or negotiation checklists to embed forensic cooperation and notification obligations into renewals.

CategoryDue 21d

Require suppliers that integrate with messaging platforms or in‑app webviews to provide security attestations, penetration‑test results, or evidence of download‑blocking control...

Supplier attestations or test artifacts demonstrating controls for in‑app content, download workflows, and incident support.

ContractsDue 60d

Update RFP and contract templates for agentic AI suppliers to require fail‑safe defaults, human escalation points, staged acceptance testing, and evidence of robust sandboxing.

Revised RFP and contract clauses that set mandatory testing and escalation obligations for agentic AI offerings.

LegalDue 60d

Review managed‑PKI and CA contracts with Legal to add uptime dependency language, explicit liability for trust‑store events, and remediation cost allocation options.

Contract negotiation positions and clause language options addressing CA-related outages and remediation responsibilities.

Risk register

RiskTriggerMitigation
Watch for additional data postings or targeted extortion tied to the Instructure incident — expanded releases would increase legal and notification obligations for affected buyers.Watch for additional data postings or targeted extortion tied to the Instructure incident — expanded releases would increase legal and notification obligations for affected buyers.Confirm exposure with category, contracts, and operations before the next supplier commitment.
Watch for further AV signature churn or similar CA‑related false positives that could affect other roots or reintroduce trust‑store changes during signature rollouts.Watch for further AV signature churn or similar CA‑related false positives that could affect other roots or reintroduce trust‑store changes during signature rollouts.Confirm exposure with category, contracts, and operations before the next supplier commitment.

CM Snapshot

Category Manager Decision Detail

Today's priorities

Inventory all hosted LMS (Canvas) instances, map each to supplier, tenant owner, hosting model, and current notification SLA.

because Instructure confirmed stolen user data and buyers need a supplier‑mapped inventory to coordinate notifications, forensic access, and regulatory obligations.

Due 3d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Ask endpoint, managed‑security, and PKI suppliers to confirm they applied Microsoft’s fixed security intelligence update and to provide remediation status for managed estates.

because Microsoft released a signature update that fixed DigiCert false positives but affected systems had roots removed from the Windows trust store, so supplier confirmation v...

Due 3d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Open contract amendment talks with LMS and hosting suppliers to add explicit forensic cooperation, notification timelines, and cost pass‑through rules for data breaches.

because the confirmed LMS breach shows existing contracts may lack clear obligations for cross‑supplier forensics and cost allocation during mass data incidents.

Due 21d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Require suppliers that integrate with messaging platforms or in‑app webviews to provide security attestations, penetration‑test results, or evidence of download‑blocking control...

because researchers show Telegram Mini Apps can host phishing pages and push APKs inside the app, increasing risk from supplier integrations and in‑app downloads.

Due 21d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Supplier radar

BleepingComputer

high

Observed supplier signal

LMS and hosting suppliers will face pressure to accept faster notification SLAs, defined forensic cooperation, and indemnities at renewal; buyers gain leverage to demand these terms.

Commercial implication

LMS and hosting suppliers will face pressure to accept faster notification SLAs, defined forensic cooperation, and indemnities at renewal; buyers gain leverage to demand these terms.

Next step: Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.

BleepingComputer

high

Observed supplier signal

Endpoint, PKI, and managed‑security vendors may resist liability for AV signature actions; expect negotiation over contract scope, uptime dependency, and recovery cost allocation.

Commercial implication

Endpoint, PKI, and managed‑security vendors may resist liability for AV signature actions; expect negotiation over contract scope, uptime dependency, and recovery cost allocation.

Next step: Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.

Negotiation levers

Inventory all hosted LMS (Canvas) instances, map each to supplier, tenant owner, hosting model, and current notification SLA.

When to use: because Instructure confirmed stolen user data and buyers need a supplier‑mapped inventory to coordinate notifications, forensic access, and regulatory obligations.

Expected outcome: A supplier‑mapped inventory of LMS instances with contact points and SLA notes to guide incident coordination.

Commercial mechanism to carry into the next supplier conversation

Ask endpoint, managed‑security, and PKI suppliers to confirm they applied Microsoft’s fixed security intelligence update and to provide remediation status for managed estates.

When to use: because Microsoft released a signature update that fixed DigiCert false positives but affected systems had roots removed from the Windows trust store, so supplier confirmation v...

Expected outcome: Documented supplier confirmations and remediation steps for managed endpoints and PKI services.

Commercial mechanism to carry into the next supplier conversation

Open contract amendment talks with LMS and hosting suppliers to add explicit forensic cooperation, notification timelines, and cost pass‑through rules for data breaches.

When to use: because the confirmed LMS breach shows existing contracts may lack clear obligations for cross‑supplier forensics and cost allocation during mass data incidents.

Expected outcome: Draft amendment positions or negotiation checklists to embed forensic cooperation and notification obligations into renewals.

Commercial mechanism to carry into the next supplier conversation

Require suppliers that integrate with messaging platforms or in‑app webviews to provide security attestations, penetration‑test results, or evidence of download‑blocking control...

When to use: because researchers show Telegram Mini Apps can host phishing pages and push APKs inside the app, increasing risk from supplier integrations and in‑app downloads.

Expected outcome: Supplier attestations or test artifacts demonstrating controls for in‑app content, download workflows, and incident support.

Commercial mechanism to carry into the next supplier conversation

Talking points

Confirmed data theft at a major hosted LMS (Canvas) raises immediate need to map which contracts, tenants, and integrations are exposed so buyers can coordinate notifications and forensics.
A Microsoft Defender signature mistakenly removed DigiCert root certificates from some Windows trust stores, creating real availability and code‑verification risk that requires supplier remediation confirmation.
Researchers show Telegram Mini Apps are being abused to host phishing pages and push Android APKs inside the app, increasing third‑party integration and endpoint compromise risk for suppliers that use in‑app webviews.
Five Eyes guidance on ‘agentic’ AI recommends fail‑safe defaults, human escalation, and stronger supplier testing — procurement should prepare contract and acceptance test language for agentic AI offerings.

Supplier radar

SupplierSignalImplicationNext stepConfidence
BleepingComputerLMS and hosting suppliers will face pressure to accept faster notification SLAs, defined forensic cooperation, and indemnities at renewal; buyers gain leverage to demand these terms.LMS and hosting suppliers will face pressure to accept faster notification SLAs, defined forensic cooperation, and indemnities at renewal; buyers gain leverage to demand these terms.Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.high
BleepingComputerEndpoint, PKI, and managed‑security vendors may resist liability for AV signature actions; expect negotiation over contract scope, uptime dependency, and recovery cost allocation.Endpoint, PKI, and managed‑security vendors may resist liability for AV signature actions; expect negotiation over contract scope, uptime dependency, and recovery cost allocation.Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.high

Negotiation levers

  • Inventory all hosted LMS (Canvas) instances, map each to supplier, tenant owner, hosting model, and current notification SLA.because Instructure confirmed stolen user data and buyers need a supplier‑mapped inventory to coordinate notifications, forensic access, and regulatory obligations.A supplier‑mapped inventory of LMS instances with contact points and SLA notes to guide incident coordination.

    high confidence

  • Ask endpoint, managed‑security, and PKI suppliers to confirm they applied Microsoft’s fixed security intelligence update and to provide remediation status for managed estates.because Microsoft released a signature update that fixed DigiCert false positives but affected systems had roots removed from the Windows trust store, so supplier confirmation v...Documented supplier confirmations and remediation steps for managed endpoints and PKI services.

    high confidence

  • Open contract amendment talks with LMS and hosting suppliers to add explicit forensic cooperation, notification timelines, and cost pass‑through rules for data breaches.because the confirmed LMS breach shows existing contracts may lack clear obligations for cross‑supplier forensics and cost allocation during mass data incidents.Draft amendment positions or negotiation checklists to embed forensic cooperation and notification obligations into renewals.

    high confidence

  • Require suppliers that integrate with messaging platforms or in‑app webviews to provide security attestations, penetration‑test results, or evidence of download‑blocking control...because researchers show Telegram Mini Apps can host phishing pages and push APKs inside the app, increasing risk from supplier integrations and in‑app downloads.Supplier attestations or test artifacts demonstrating controls for in‑app content, download workflows, and incident support.

    high confidence

What to do / What to watch

What to do now

  • Inventory all hosted LMS (Canvas) instances, map each to supplier, tenant owner, hosting model, and current notification SLA.

    Why: because Instructure confirmed stolen user data and buyers need a supplier‑mapped inventory to coordinate notifications, forensic access, and regulatory obligations.

    Owner: Ops

    Expected outcome: A supplier‑mapped inventory of LMS instances with contact points and SLA notes to guide incident coordination.

    [3]
  • Ask endpoint, managed‑security, and PKI suppliers to confirm they applied Microsoft’s fixed security intelligence update and to provide remediation status for managed estates.

    Why: because Microsoft released a signature update that fixed DigiCert false positives but affected systems had roots removed from the Windows trust store, so supplier confirmation v...

    Owner: Category

    Expected outcome: Documented supplier confirmations and remediation steps for managed endpoints and PKI services.

    [4]

Next few weeks

  • Open contract amendment talks with LMS and hosting suppliers to add explicit forensic cooperation, notification timelines, and cost pass‑through rules for data breaches.

    Why: because the confirmed LMS breach shows existing contracts may lack clear obligations for cross‑supplier forensics and cost allocation during mass data incidents.

    Owner: Contracts

    Expected outcome: Draft amendment positions or negotiation checklists to embed forensic cooperation and notification obligations into renewals.

    [3]
  • Require suppliers that integrate with messaging platforms or in‑app webviews to provide security attestations, penetration‑test results, or evidence of download‑blocking control...

    Why: because researchers show Telegram Mini Apps can host phishing pages and push APKs inside the app, increasing risk from supplier integrations and in‑app downloads.

    Owner: Category

    Expected outcome: Supplier attestations or test artifacts demonstrating controls for in‑app content, download workflows, and incident support.

    [5]

Longer view

  • Update RFP and contract templates for agentic AI suppliers to require fail‑safe defaults, human escalation points, staged acceptance testing, and evidence of robust sandboxing.

    Why: because Five Eyes guidance warns agentic AI widens the attack surface and procurement needs contractual levers and test evidence before production deployment.

    Owner: Contracts

    Expected outcome: Revised RFP and contract clauses that set mandatory testing and escalation obligations for agentic AI offerings.

    [2]
  • Review managed‑PKI and CA contracts with Legal to add uptime dependency language, explicit liability for trust‑store events, and remediation cost allocation options.

    Why: because a CA‑related false positive removed trusted roots from OS stores and exposed buyers to availability and verification failures that require clearer contractual responsibi...

    Owner: Legal

    Expected outcome: Contract negotiation positions and clause language options addressing CA-related outages and remediation responsibilities.

    [4]

What to watch

  • Watch for additional data postings or targeted extortion tied to the Instructure incident — expanded releases would increase legal and notification obligations for affected buyers
  • Watch for further AV signature churn or similar CA‑related false positives that could affect other roots or reintroduce trust‑store changes during signature rollouts
  • Watch for additional data postings or targeted extortion tied to the Instructure incident — expanded releases would increase legal and notification obligations for affected buyers.: Watch for additional data postings or targeted extortion tied to the Instructure incident — expanded releases would increase legal and notification obligations for affected buyers
  • Watch for further AV signature churn or similar CA‑related false positives that could affect other roots or reintroduce trust‑store changes during signature rollouts.: Watch for further AV signature churn or similar CA‑related false positives that could affect other roots or reintroduce trust‑store changes during signature rollouts
  • Confirmed data theft at a major hosted LMS (Canvas) raises immediate need to map which contracts, tenants, and integrations are exposed so buyers can coordinate notifications and forensics
  • A Microsoft Defender signature mistakenly removed DigiCert root certificates from some Windows trust stores, creating real availability and code‑verification risk that requires supplier remediation confirmation
  • Researchers show Telegram Mini Apps are being abused to host phishing pages and push Android APKs inside the app, increasing third‑party integration and endpoint compromise risk for suppliers that use in‑app webviews
  • Five Eyes guidance on ‘agentic’ AI recommends fail‑safe defaults, human escalation, and stronger supplier testing — procurement should prepare contract and acceptance test language for agentic AI offerings

Market pulse

IndexLatestChangeAs of
Palo Alto (PANW)320 +0.00 (+0.00%)May 4, 2026, 10:09 AM
CrowdStrike (CRWD)285 +0.00 (+0.00%)May 4, 2026, 10:09 AM
Zscaler (ZS)195 +0.00 (+0.00%)May 4, 2026, 10:09 AM
Fortinet (FTNT)72 +0.00 (+0.00%)May 4, 2026, 10:09 AM
  • CrowdStrike: Endpoint and EDR demand implications: validate entitlements and incident response support when negotiating EDR and managed detection contracts
  • Palo Alto: Network and gateway vendors: ensure logging and detection rules cover in‑app webview abuse and messaging‑platform vectors

Sources

Inline citations jump here. Expand a source to read the excerpt, the AI interpretation, and the original link.

[1] If the vote you rocked, your personal info can be grokked

go.theregister.com · May 4, 2026

Expand

AI reading

Research shows public voter records can be linked with other datasets to identify or profile individuals, enabling targeting by employers, fraud rings, or foreign intelligence services. The analysis demonstrates how basic fields like phone numbers or voting history can be joined to other sources; procurement should treat this as limited‑relevance guidance and check identity‑proofing suppliers for exposure to public‑data linkage risks

Buyer takeaway

Flag identity‑proofing and data‑broker relationships for review; require suppliers to show controls for public‑data linkage risks

Cost / money

Weak identity controls can increase account‑takeover and remediation costs if suppliers rely on public datasets without mitigations

Supplier / commercial

Ask identity vendors for data provenance statements and risk mitigation commitments for public‑data joins

Safety / operations

Operations teams should validate verification flows that could be bypassed by linked public data and require stronger proofs where needed

What to watch

This is thematically relevant but limited operational immediacy; treat as a vetting item rather than an immediate emergency

Key facts

  • Researchers demonstrate high match rates between voter rolls and other public datasets
  • Examples show phone numbers and vote history can uniquely identify individuals in some counties
  • Analysis highlights how simple joins enable targeted deanonymization

Source excerpts

As a result, external datasets containing phone numbers can be joined at a similar rate using this field as a key to narrow down and identify likely individuals. Among the report's other findings: Name and ZIP code uniquely identify 95
He recommends measures like rate limits on bulk file requests, identity verification, requiring state ID, maintaining audit logs of requests, and prohibiting commercial resale of these records – because they're often used by data brokers. Beyond specific fixes based on his findings – Texas should generalize voter registration dates to a year rather than a day and armed forces mailing codes should be excluded from voter rolls – Kenney argues that people should be allowed to opt out of inclusion in public data s
And what I was looking at specifically is if you go and merge this data set or link this data set with other data sets, how likely are you to be able to re-identify a person?

Used in this brief

  • Research shows public voter records can be linked with other datasets to identify or profile individuals, enabling targeting by employers, fraud rings, or foreign intelligence services. The analysis demonstrates how basic fields like phone numbers or voting history can be joined to other sources; procurement should treat this as limited‑relevance guidance and check identity‑proofing suppliers for exposure to public‑data linkage risks
  • Buyer bottom line: Public data linkage increases privacy risk in identity and verification processes; review identity‑proofing suppliers for reliance on or exposure to public voter datasets
  • Flag identity‑proofing and data‑broker relationships for review; require suppliers to show controls for public‑data linkage risks
Open original source

[2] Five Eyes spook shops warn rapid rollouts of agentic AI are too risky

go.theregister.com · May 4, 2026

Expand

AI reading

Five Eyes information security agencies published guidance warning that agentic (autonomous) AI systems are likely to behave unexpectedly and widen the attack surface across critical systems. The guide lists risks and hundreds of best practices, and urges vendors to bake in fail‑safe defaults and human escalation; procurement should prepare to codify these expectations into acceptance tests and contractual obligations

Buyer takeaway

Incorporate the guidance into RFPs and contract templates so suppliers must supply test evidence and fail‑safe behavior before production rollout

Cost / money

Expect procurement to shift some spend toward testing, sandboxing, and longer acceptance cycles to validate agent safety

Supplier / commercial

Vendors may resist expanded testing and acceptance terms; use staged acceptance and clear go/no‑go criteria to balance delivery risk

Safety / operations

Operational risk increases when agents have broad permissions; require human‑in‑the‑loop escalation and auditability for production agents

What to watch

Standards and testing frameworks are still immature; treat supplier commitments as directionally protective until validated by tests

Key facts

  • Guidance warns agentic AI widens attack surface and may behave unpredictably
  • Document lists 23 different risks and over 100 best practices
  • Advice calls for fail‑safe defaults and human escalation mechanisms

Source excerpts

” Until security practices, evaluation methods and standards mature, organisations should assume that agentic AI systems may behave unexpectedly The thrust of the document is that implementing agentic AI will require use of many components, tools, and external data sources, creating an “interconnected attack surface that malicious actors can exploit. ” “Consequently, every individual component in an agentic AI system widens the attack surface, exposing the system to additional avenues of exploitation,” the docum
The agencies delivered that position last Friday in a guide titled Careful adoption of agentic AI services [PDF] that opens with the observation that “Agentic artificial intelligence (AI) systems increasingly operate across critical infrastructure and defense sectors and support mission-critical capabilities,” making it “crucial for defenders to implement security controls to protect national security and critical infrastructure from agentic AI-specific risks. ” Until security practices, evaluation methods and
Much of the advice targets developers who deploy AI, but the authors also urge vendors to ensure they test their wares thoroughly and ensure their products “fail-safe by default requiring agents to stop and escalate issues to human reviewers in uncertain scenarios

Used in this brief

  • Next quarter — Update RFP and contract templates for agentic AI suppliers to require fail‑safe defaults, human escalation points, staged acceptance testing, and evidence of robust sandboxing.. Rationale: because Five Eyes guidance warns agentic AI widens the attack surface and procurement needs contractual levers and test evidence before production deployment.. Owner: Contracts. KPI: Revised RFP and contract clauses that set mandatory testing and escalation obligations for agentic AI offerings
  • Five Eyes information security agencies published guidance warning that agentic (autonomous) AI systems are likely to behave unexpectedly and widen the attack surface across critical systems. The guide lists risks and hundreds of best practices, and urges vendors to bake in fail‑safe defaults and human escalation; procurement should prepare to codify these expectations into acceptance tests and contractual obligations
  • Buyer bottom line: Agentic AI requires specific procurement controls—contractual fail‑safes, testing evidence, and escalation paths should be mandatory before accepting agentic capabilities
Open original source

[3] Instructure confirms data breach, ShinyHunters claims attack

bleepingcomputer.com · May 3, 2026

Expand

AI reading

Instructure confirmed a cyber incident and says personal information of users at affected institutions was exposed while an extortion group claims responsibility. The company is working with third‑party cybersecurity experts and law enforcement and reports the dataset spans a large number of institutions; procurement should watch notification scope and whether the supplier revises incident‑response commitments and forensic cooperation

Buyer takeaway

Map hosted LMS instances and force supplier commitments for notification timelines and forensic access so buyers aren’t left covering response work

Cost / money

Expect near‑term allocation of incident response and communications costs if contracts don’t require supplier‑paid support

Supplier / commercial

Use the incident to push for indemnity, faster notification SLAs, and supplier‑funded forensics during renewals and amendments

Safety / operations

Ops teams will need coordinated log access, shared forensic plans, and account review workflows with the supplier

What to watch

Watch for additional data postings or targeted extortion that expand notification obligations

Key facts

  • Vendor confirms personal information of users was exposed
  • Company engaged third‑party cybersecurity experts and law enforcement
  • Threat actor claims dataset covers a broad set of institutions

Source excerpts

" Instructure listed on ShinyHunters data extortion site ShinyHunters claimed that the data was stolen from Instructure via a vulnerability in their systems, which has now been patched. This data allegedly consists of over 240 million records tied to students, teachers, and staff
Educational tech giant Instructure has confirmed that data was stolen in a cyberattack, with the ShinyHunters extortion gang claiming responsibility. Instructure is a U
Your Salesforce instance was also breached and a lot more other data is involved. " Instructure listed on ShinyHunters data extortion site ShinyHunters claimed that the data was stolen from Instructure via a vulnerability in their systems, which has now been patched

Used in this brief

  • What to watch: Watch for additional data postings or targeted extortion tied to the Instructure incident — expanded releases would increase legal and notification obligations for affected buyers
  • Next 72 hours — Inventory all hosted LMS (Canvas) instances, map each to supplier, tenant owner, hosting model, and current notification SLA.. Rationale: because Instructure confirmed stolen user data and buyers need a supplier‑mapped inventory to coordinate notifications, forensic access, and regulatory obligations.. Owner: Ops. KPI: A supplier‑mapped inventory of LMS instances with contact points and SLA notes to guide incident coordination
  • Next 2-4 weeks — Open contract amendment talks with LMS and hosting suppliers to add explicit forensic cooperation, notification timelines, and cost pass‑through rules for data breaches.. Rationale: because the confirmed LMS breach shows existing contracts may lack clear obligations for cross‑supplier forensics and cost allocation during mass data incidents.. Owner: Contracts. KPI: Draft amendment positions or negotiation checklists to embed forensic cooperation and notification obligations into renewals
Open original source

[4] Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha

bleepingcomputer.com · May 3, 2026

Expand

AI reading

Microsoft Defender falsely flagged legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha and, on affected systems, removed those roots from the Windows trust store. Microsoft pushed a fixed security intelligence update and advised administrators to update; buyers should verify managed‑endpoint suppliers applied the fix and check whether any services relying on OS trust chains need remediation

Buyer takeaway

Confirm endpoint and PKI suppliers applied the remediation and identify which services rely on OS trust chains so you can prioritize recovery

Cost / money

Emergency remediation, rollback, and service restores create near‑term operational spend that may be disputed with suppliers

Supplier / commercial

Clarify contractual responsibility for AV‑signature driven trust‑store changes and consider adding pass‑through rules for remediation costs

Safety / operations

Trust‑store removals can break TLS and signed‑tooling checks, requiring testing and staged restores by Ops

What to watch

Watch for additional signature rollouts that could affect other CA roots or reintroduce trust issues

Key facts

  • False positives appeared after a Defender signature update
  • Affected certificates were removed from the Windows AuthRoot store on impacted systems
  • Microsoft issued a fixed Security Intelligence update and advised updating

Source excerpts

It should be noted that the certificates flagged by Microsoft Defender are root certificates in the Windows trust store and do not match the revoked DigiCert code-signing certificates used to sign malware
A! dha" False PositiveSource: Reddit Microsoft has reportedly fixed the detections in Security Intelligence update version 1
Today, administrators worldwide began reporting that DigiCert root certificate entries were flagged as malware and, on affected systems, removed from the Windows trust store. According to a Reddit post about the false positives, the detected certificates are: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 On impacted systems, these certificates were removed from the AuthRoot store under this Registry key: HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\ These

Used in this brief

  • Safety / operations: Removal of trusted root certificates can break TLS validation and code‑signing checks, creating immediate uptime incidents and manual recovery tasks for operations teams
  • Next 72 hours — Ask endpoint, managed‑security, and PKI suppliers to confirm they applied Microsoft’s fixed security intelligence update and to provide remediation status for managed estates.. Rationale: because Microsoft released a signature update that fixed DigiCert false positives but affected systems had roots removed from the Windows trust store, so supplier confirmation v.... Owner: Category. KPI: Documented supplier confirmations and remediation steps for managed endpoints and PKI services
  • Next quarter — Review managed‑PKI and CA contracts with Legal to add uptime dependency language, explicit liability for trust‑store events, and remediation cost allocation options.. Rationale: because a CA‑related false positive removed trusted roots from OS stores and exposed buyers to availability and verification failures that require clearer contractual responsibi.... Owner: Legal. KPI: Contract negotiation positions and clause language options addressing CA-related outages and remediation responsibilities
Open original source

[5] Telegram Mini Apps abused for crypto scams, Android malware delivery

bleepingcomputer.com · May 3, 2026

Expand

AI reading

Researchers uncovered a large fraud operation using Telegram Mini Apps to present phishing pages inside the app and to distribute Android APKs and progressive web apps. The campaigns use a shared backend to impersonate brands and push convincing in‑app pages that encourage downloads; procurement should require evidence of mitigation for any supplier that uses in‑app webviews or messaging‑platform integrations

Buyer takeaway

Treat messaging‑platform integrations as supply‑chain vectors requiring attestations, testing evidence, and clear incident support obligations

Cost / money

Compromised endpoints from in‑app deliveries can increase incident response and remediation costs tied to supplier integrations

Supplier / commercial

Require suppliers to supply attestations or test results for in‑app components and to participate in incident response when compromises trace to their integrations

Safety / operations

Endpoint protection and user training may not stop in‑app APK delivery; Ops should validate webview controls and managed‑device download blocking

What to watch

Watch whether campaigns escalate into targeted brand impersonations that impact customer‑facing supplier workflows

Key facts

  • Operation uses Telegram bots and Mini Apps to host phishing pages in the app’s WebView
  • Campaigns push Android APK files and progressive web apps that mimic legitimate software
  • Attackers use a shared backend to impersonate multiple well‑known brands

Source excerpts

A new report by CTM360 says the platform, dubbed FEMITBOT, is based on a string found in API responses and uses Telegram bots and embedded Mini Apps to create convincing, app-like experiences directly within the messaging platform. Telegram Mini Apps are lightweight web applications that run inside Telegram’s built-in browser, enabling services such as payments, account access, and interactive tools without requiring users to leave the app
When a user interacts with a bot and clicks "Start," the bot launches a Mini App that displays a phishing page in Telegram’s built-in WebView, making it appear as part of the app itself
Cybersecurity researchers have uncovered a large-scale fraud operation that uses Telegram’s Mini App feature to run crypto scams, impersonate well-known brands, and distribute Android malware. A new report by CTM360 says the platform, dubbed FEMITBOT, is based on a string found in API responses and uses Telegram bots and embedded Mini Apps to create convincing, app-like experiences directly within the messaging platform

Used in this brief

  • Safety / operations: In‑app phishing and APK distribution via Telegram Mini Apps raise the likelihood of endpoint compromise through supplier integrations, meaning endpoint protections and managed device controls may be insufficient alone
  • Next 2-4 weeks — Require suppliers that integrate with messaging platforms or in‑app webviews to provide security attestations, penetration‑test results, or evidence of download‑blocking control.... Rationale: because researchers show Telegram Mini Apps can host phishing pages and push APKs inside the app, increasing risk from supplier integrations and in‑app downloads.. Owner: Category. KPI: Supplier attestations or test artifacts demonstrating controls for in‑app content, download workflows, and incident support
  • Added Telegram Mini Apps abuse report showing in‑app webview phishing and APK delivery vectors for supplier integrations (article 4)
Open original source

[6] CrowdStrike

finance.yahoo.com · n.d.

Expand
Open original source

[7] Palo Alto

finance.yahoo.com · n.d.

Expand
Open original source
More from IT, Telecom & CyberBack to Executive View