Introduction
Staying ahead of cyber threats requires more than just awareness—it demands actionable steps. The latest threat intelligence reveals a surge in data breaches, AI-assisted attacks, and critical vulnerabilities affecting major platforms. This guide transforms those findings into a practical, step-by-step plan to fortify your defenses. By following these steps, you can mitigate risks from the types of incidents reported in May 2026, including breaches at Canvas, Zara, Mediaworks, and Skoda, as well as AI agent hijacking and zero-day exploits.
What You Need
- A list of all software and systems your organization uses (including third-party integrations)
- Access to vulnerability databases (e.g., CVE, NVD) or threat intelligence feeds
- Permission to apply patches and updates (or a change management process)
- Browser extension management tool (e.g., enterprise policy for Chrome)
- Incident response plan template
- Regular backup solution (tested and verified)
Step-by-Step Guide
Step 1: Review Recent Breaches to Identify Common Attack Vectors
Start by studying the attacks described in the threat report. The breaches at Canvas (Instructure), Zara, Mediaworks, and Skoda all shared one characteristic: attackers exploited either third-party vendor access or software flaws. For example, the Canvas breach occurred in a cloud-hosted environment, while Zara's data leak stemmed from a third-party technology provider. Mediaworks faced a data-theft extortion after an intrusion, and Skoda's online shop fell to a software vulnerability.
Action: Map out your own supply chain. Identify every vendor with access to your data or systems. For each, ask: what would happen if they were compromised? Create a table listing vendors, the data they handle, and their security certifications. Also, check if you use any of the affected platforms (Canvas, Inditex services, Škoda's shop, Mediaworks tools). If so, immediately contact their support teams for guidance.
Step 2: Apply Critical Patches for Known Vulnerabilities
The report highlights two urgent fixes: CVE-2026-4670 and CVE-2026-5174 in MOVEit Automation, and CVE-2026-6973 in Ivanti EPMM. The MOVEit flaws allow authentication bypass and privilege escalation; the Ivanti bug is a zero-day exploited with administrator permissions. Delaying patches could leave your file transfer and mobile management systems open to attack.
Action: Immediately update MOVEit Automation to version 2025.1.5, 2025.0.9, or 2024.1.8 (whichever applies). For Ivanti EPMM, upgrade to the latest patched version (check Ivanti's advisory). If you cannot patch immediately, implement compensating controls: restrict network access to MOVEit servers, enforce multi-factor authentication for administrative accounts, and monitor for unusual activity in EPMM logs. Subscribe to vendor security bulletins to receive future alerts.
Step 3: Harden Your AI and Browser Extensions Against Hijacking
Two AI-related vulnerabilities were disclosed: a WebSocket hijacking flaw in Cline's AI coding agent (CVSS 9.7) and a Claude in Chrome extension hijack risk. Both allow attackers to inject commands, exfiltrate data, or abuse browser-connected information. Additionally, the InstallFix campaign uses fake Claude AI installers via Google Ads to deliver malware. These threats show how AI tools expand the attack surface.
Action:
- For Cline users: update to version 0.1.66 or later immediately. If you cannot update, avoid using Cline in environments where you visit untrusted websites.
- For Claude in Chrome: disable or restrict the extension until Anthropic releases a fix. Alternatively, use browser profiles that isolate AI extensions from sensitive sites (e.g., banking, email).
- To avoid fake installers: only download Claude from the official Anthropic website or Chrome Web Store. Do not click on Google Ads for AI tools. Implement ad-blockers and use endpoint detection tools that flag malicious commands.
Step 4: Educate Users on AI-Powered Social Engineering
The InstallFix campaign tricks users into running commands that launch multi-stage malware. This highlights the need for training against deceptive AI-themed lures. Attackers are using AI as bait because of its popularity.
Action: Conduct a short training session on recognizing fake AI download pages. Emphasize that legitimate AI tools never ask users to copy-paste commands into a terminal. Use simulated phishing campaigns that mimic such attacks. Create a company policy: all software installations must be approved by IT and downloaded from official sources only.
Step 5: Implement Browser Extension Security Controls
The Claude extension flaw demonstrates that browser extensions can be hijacked by other malicious extensions. Enterprises often overlook browser extension risks.
Action: Use group policy to whitelist only approved extensions. Regularly audit installed extensions across your organization. Remove any extensions with excessive permissions (e.g., “read and change all data on websites”). Encourage users to report suspicious extensions. Consider deploying a browser security tool that monitors extension behavior.
Step 6: Develop an Incident Response Plan Based on These Scenarios
Each attack in the report—data theft, extortion, defacement—requires a specific response. Having a plan reduces damage.
Action: Update your incident response plan to include: a) data breach notification procedures (e.g., informing affected parties like students or customers), b) steps for extortion scenarios (e.g., contact law enforcement, preserve evidence), c) communication templates for defacement events. Test the plan with a tabletop exercise using the Mediaworks intrusion (8.5TB leaked) as a scenario. Ensure backups are offline and encrypted.
Step 7: Monitor for Exposed Credentials and Data
Breaches like those at Zara and Canvas expose email addresses, order histories, and private messages. Attackers may use this data for follow-up phishing or credential stuffing.
Action: Use a dark web monitoring service to check if any of your corporate domains appear in leaked datasets. Enable multi-factor authentication on all accounts. For any exposed email addresses, require password resets. Implement a password manager to enforce unique passwords. Consider a credit monitoring service for affected customers if you handle customer data.
Step 8: Review Third-Party Access and Contracts
The Zara breach originated from a third-party technology provider. Many companies have similar dependencies.
Action: Re-evaluate all vendor contracts to include security clauses: incident notification timeline, data handling standards, and right to audit. Regularly review vendor security assessments. If a vendor cannot demonstrate strong security, limit the data you share or seek alternatives.
Tips for Long-Term Protection
- Treat AI tools cautiously: They are new attack vectors. Never grant AI agents unrestricted browser access or file system permissions.
- Patch promptly but test first: Critical vulnerabilities (CVSS 9+ ) should be patched within 48 hours. However, always test patches in a staging environment to avoid breaking production.
- Segment your network: If one system is breached, limit lateral movement. For example, separate your file transfer server (MOVEit) from your corporate network.
- Enable logging and monitoring: Use SIEM tools to detect signs of hijacking (e.g., unexpected WebSocket connections, unusual extension activity, mass file exfiltration).
- Stay informed: Subscribe to threat intelligence feeds and vendor security advisories. The threats change weekly—this report is for the week of 11th May, but new vulnerabilities emerge daily.
By following these steps, you transform raw intelligence into protective action. Remember: cybersecurity is a continuous process, not a one-time fix.