![[Week 3 of May 2026] Four New Threats Japanese Companies Should Be Wary of: Canvas breach, npm supply chain attack, and ClaudeBleed](https://static.wixstatic.com/media/95ec1f_f5d30c2fc79344eb8199da2390a2c1c3~mv2.png/v1/fill/w_980,h_670,fp_0.50_0.50,q_35,blur_30,enc_avif,quality_auto/95ec1f_f5d30c2fc79344eb8199da2390a2c1c3~mv2.png)
![[Week 3 of May 2026] Four New Threats Japanese Companies Should Be Wary of: Canvas breach, npm supply chain attack, and ClaudeBleed](https://static.wixstatic.com/media/95ec1f_f5d30c2fc79344eb8199da2390a2c1c3~mv2.png/v1/fill/w_980,h_670,fp_0.50_0.50,q_95,enc_avif,quality_auto/95ec1f_f5d30c2fc79344eb8199da2390a2c1c3~mv2.png)
![[Third Week of May 2026] Four Incidents at Japanese Companies: From GitHub Credential Leaks to Ransomware Attacks](https://static.wixstatic.com/media/95ec1f_e00e67a4854b4a8882a13950e4a7a324~mv2.png/v1/fill/w_980,h_670,fp_0.50_0.50,q_35,blur_30,enc_avif,quality_auto/95ec1f_e00e67a4854b4a8882a13950e4a7a324~mv2.png)
![[Third Week of May 2026] Four Incidents at Japanese Companies: From GitHub Credential Leaks to Ransomware Attacks](https://static.wixstatic.com/media/95ec1f_e00e67a4854b4a8882a13950e4a7a324~mv2.png/v1/fill/w_980,h_670,fp_0.50_0.50,q_95,enc_avif,quality_auto/95ec1f_e00e67a4854b4a8882a13950e4a7a324~mv2.png)
![[Week 2 of May 2026] Top 4 Cyber Threats Targeting Japanese Companies | npm Supply Chain Attacks, Fake AI Extensions & DNS Hijacking PIPELINE](https://static.wixstatic.com/media/95ec1f_df7cf37dcaa7470da1331eac6e21b25c~mv2.png/v1/fill/w_980,h_670,fp_0.50_0.50,q_35,blur_30,enc_avif,quality_auto/95ec1f_df7cf37dcaa7470da1331eac6e21b25c~mv2.png)
![[Week 2 of May 2026] Top 4 Cyber Threats Targeting Japanese Companies | npm Supply Chain Attacks, Fake AI Extensions & DNS Hijacking PIPELINE](https://static.wixstatic.com/media/95ec1f_df7cf37dcaa7470da1331eac6e21b25c~mv2.png/v1/fill/w_980,h_670,fp_0.50_0.50,q_95,enc_avif,quality_auto/95ec1f_df7cf37dcaa7470da1331eac6e21b25c~mv2.png)
[Week 3 of May 2026] Four New Threats Japanese Companies Should Be Wary of: Canvas breach, npm supply chain attack, and ClaudeBleed
- 3 minutes ago
- 5 min read
This Week's Security Threat Highlights
The second week of May 2026 saw a series of serious threats directly affecting Japanese companies, including supply chain attacks, large-scale breaches of educational institutions, and new AI-related vulnerabilities. This article details four new threats that are not yet widely recognized in Japan and outlines countermeasures.
[Threat 1] Canvas LMS Massive Breach: ShinyHunters Affect Hundreds of Universities
On May 1, 2026, Instructure, the operator of the educational institution learning management system (LMS) "Canvas," confirmed a large-scale breach by the hacker group ShinyHunters. From the breach on April 25 to the public announcement on May 1, the attackers accessed data from hundreds of universities and stole a large amount of data, including students' personal information. Instructure reportedly complied with the ransom demand and paid it on May 11. Many universities in Japan also use Canvas, increasing the risk of student information leaks.
Relevance to Japan: If universities and educational institutions in Japan use Canvas, there is a direct risk of student information leakage. Furthermore, educational institutions are subject to the Personal Information Protection Policy (APPI), and the reporting obligation and loss of social credibility in the event of a leak are serious concerns.
[Threat 2] Mini Shai-Hulud: Self-replicating npm supply chain attack compromises over 160 packages
On May 11, 2026, the threat group TeamPCP compromised over 160 npm packages, including TanStack, Mistral AI, and UiPath, using self-replicating malware called "Mini Shai-Hulud." This worm hijacks CI/CD pipelines, steals developer secrets (GitHub tokens, cloud credentials, and cryptocurrency wallets), and automatically spreads infection to other packages using the stolen tokens. The attackers generated valid SLSA Build Level 3 certificates, making it appear as if the malware was generated from a legitimate build process.
Relevance to Japan: If Japanese development companies are using these npm packages, their entire development environment could be compromised. In particular, if AWS, Azure, and GCP credentials stored in CI/CD pipelines are stolen, the entire cloud infrastructure will be at risk. The impact on financial institutions and SaaS companies is significant.
[Threat 3] ClaudeBleed: A critical vulnerability in the Claude Chrome extension allows AI to be hijacked.
On May 7, 2026, LayerX security researchers discovered a critical vulnerability in the Claude Chrome extension called "ClaudeBleed." This vulnerability allows any unauthorized Chrome extension to completely take over Claude AI, access services such as Gmail, Google Drive, and GitHub on behalf of the user, steal sensitive data, and impersonate the user to perform actions. Anthropic has made a partial fix, but the underlying trust boundary issue remains unresolved.
Relevance to Japan: If Japanese companies use Claude for business purposes, installing a malicious Chrome extension could lead to the theft of confidential company information (source code, customer data, financial information). The risk of damage is particularly high for AI development companies and consulting firms.
[Threat 4] JDownloader supply chain attack: Official website compromised, distributing Python RAT malware.
On May 6-7, 2026, the official website of the download management tool "JDownloader" was compromised, and its Windows and Linux installers were replaced with malicious payloads. The attackers exploited an unpatched vulnerability in the CMS to tamper with download links, and the installers executed by users launched a Python RAT (Remote Access Trojan). The Linux installer installed a backdoor with root privileges, establishing persistent access.
Relevance to Japan: JDownloader is used by many users in Japan, and the systems of users who downloaded it on May 6-7 may be completely compromised. In particular, if a company's IT department was using it as a distribution management tool, the entire corporate network is at risk.
sauce
1. Canvas LMS Compromise - Instructure Security Incident Update https://www.instructure.com/incident_update
2. Mini Shai-Hulud npm supply chain attack - StepSecurity Blog
3. ClaudeBleed vulnerability - LayerX Security Blog
4. JDownloader Supply Chain Attack - Rescana Security Report https://www.rescana.com/post/jdownloader-website-supply-chain-attack-installers-replaced-with-python-rat-malware-may-2026
What you can do at PIPELINE Co., Ltd.
PIPELINE Corporation's three main products provide comprehensive protection against these four threats.
RiskSensor (External risk intelligence, attack surface visualization, dark web monitoring)
RiskSensor enables early detection of supply chain attacks such as Canvas LMS breaches and JDownloader attacks. It monitors stolen credentials and corporate data circulating on the dark web and hacker forums, and immediately notifies you if the software or services you use have been compromised. Furthermore, by visualizing the attack surface, it identifies vulnerabilities and misconfigurations that are visible from the outside, allowing you to take countermeasures before attackers can target them.
ThreatIDR (DNS-level threat blocking, malware/C2 communication blocking)
ThreatIDR blocks malware like Mini Shai-Hulud and JDownloader RAT from sending stolen credentials to a C2 (command and control) server at the DNS level. ThreatIDR automatically detects and blocks communication to known malicious domains (such as api.masscan.cloud and filev2.getsession.org) to prevent data leakage. It can also detect malicious external communication from extension-based attacks like ClaudeBleed.
DatalaiQ (Threat Hunting, Log Analysis, Incident Investigation)
In the event of a Mini Shai-Hulud or ClaudeBleed attack, DatalaiQ analyzes all network logs to quickly grasp the full scope of the attack. It can investigate in detail how stolen credentials were used, which systems were compromised, and what data was leaked. In addition, its threat hunting capabilities can search for known attack patterns (such as the GitHub dead-drop using Dune cosmic terminology and the exploitation of SLSA certificates) to uncover hidden breaches.
These four threats could have a serious impact on Japanese companies in the coming weeks. PIPELINE Corporation's integrated security solution enables the creation of a comprehensive defense system, from early detection of external threats to blocking malware communications and investigating incidents.
Summary | Attacks exploiting "legitimate services" are on the rise.
The four threats discussed here have something in common.
it is,
Official service
Genuine software
Official authentication
Regular development process
The point is that they are exploiting this. In recent years, attackers have not simply distributed malware,
Development pipeline
AI tools
Browser extensions
Cloud for educational institutions
There is a growing tendency to target "systems that companies trust," especially in Japanese companies.
Increased use of SaaS
Introduction of generation AI
Cloud migration
Remote development environment
While progress is being made, there are many cases where monitoring of the entire supply chain is not keeping pace.
The era when "security was only needed within the company" is coming to an end.
Continuously monitoring the external services, open-source software, and extensions being used will be crucial for future security measures.
✦ Finally
Thank you for reading this far.
We at PIPELINE Corporation are a group of experts specializing in cybersecurity and threat intelligence.
We face threats together with our customers on-site every day.
"Even if we have a specialized team within the company, we lack the resources," "We don't know where to start," and "We want to prepare realistically, assuming we will be attacked."
We receive many inquiries like this. Regardless of the size of the company, the current situation is that weak points in defenses are easily targeted.
Furthermore, trying to handle everything internally inevitably makes it easier for things to be overlooked.
That's why we focus on practical methods that are useful in the field, rather than idealistic theories, and propose a small-scale, easy-to-implement approach. Even "a small step within your capabilities" can make a big difference in safety.
If you have any concerns at all, please feel free to contact us. Let's work together to find the quickest way to strengthen your security.
![[Week 2 of May 2026] Top 4 Cyber Threats Targeting Japanese Companies | npm Supply Chain Attacks, Fake AI Extensions & DNS Hijacking PIPELINE](https://static.wixstatic.com/media/95ec1f_df7cf37dcaa7470da1331eac6e21b25c~mv2.png/v1/fill/w_980,h_513,al_c,q_90,usm_0.66_1.00_0.01,enc_avif,quality_auto/95ec1f_df7cf37dcaa7470da1331eac6e21b25c~mv2.png)
![[April 2026] Top 4 Emerging Cyber Threats Targeting Japanese Companies | Axios Supply Chain Attack, Cisco IMC Vulnerability PIPELINE](https://static.wixstatic.com/media/95ec1f_444d5f1681284ae29889ade51a5956ce~mv2.png/v1/fill/w_980,h_513,al_c,q_90,usm_0.66_1.00_0.01,enc_avif,quality_auto/95ec1f_444d5f1681284ae29889ade51a5956ce~mv2.png)
![[Week 3 of May 2026] Four New Threats Japanese Companies Should Be Wary of: Canvas breach, npm supply chain attack, and ClaudeBleed](https://static.wixstatic.com/media/95ec1f_f5d30c2fc79344eb8199da2390a2c1c3~mv2.png/v1/fill/w_1189,h_670,fp_0.50_0.50,q_35,blur_30,enc_avif,quality_auto/95ec1f_f5d30c2fc79344eb8199da2390a2c1c3~mv2.png)
![[Week 3 of May 2026] Four New Threats Japanese Companies Should Be Wary of: Canvas breach, npm supply chain attack, and ClaudeBleed](https://static.wixstatic.com/media/95ec1f_f5d30c2fc79344eb8199da2390a2c1c3~mv2.png/v1/fill/w_1189,h_670,fp_0.50_0.50,q_95,enc_avif,quality_auto/95ec1f_f5d30c2fc79344eb8199da2390a2c1c3~mv2.png)
![[Third Week of May 2026] Four Incidents at Japanese Companies: From GitHub Credential Leaks to Ransomware Attacks](https://static.wixstatic.com/media/95ec1f_e00e67a4854b4a8882a13950e4a7a324~mv2.png/v1/fill/w_1189,h_670,fp_0.50_0.50,q_35,blur_30,enc_avif,quality_auto/95ec1f_e00e67a4854b4a8882a13950e4a7a324~mv2.png)
![[Third Week of May 2026] Four Incidents at Japanese Companies: From GitHub Credential Leaks to Ransomware Attacks](https://static.wixstatic.com/media/95ec1f_e00e67a4854b4a8882a13950e4a7a324~mv2.png/v1/fill/w_1189,h_670,fp_0.50_0.50,q_95,enc_avif,quality_auto/95ec1f_e00e67a4854b4a8882a13950e4a7a324~mv2.png)
![[Week 2 of May 2026] Top 4 Cyber Threats Targeting Japanese Companies | npm Supply Chain Attacks, Fake AI Extensions & DNS Hijacking PIPELINE](https://static.wixstatic.com/media/95ec1f_df7cf37dcaa7470da1331eac6e21b25c~mv2.png/v1/fill/w_1189,h_670,fp_0.50_0.50,q_35,blur_30,enc_avif,quality_auto/95ec1f_df7cf37dcaa7470da1331eac6e21b25c~mv2.png)
![[Week 2 of May 2026] Top 4 Cyber Threats Targeting Japanese Companies | npm Supply Chain Attacks, Fake AI Extensions & DNS Hijacking PIPELINE](https://static.wixstatic.com/media/95ec1f_df7cf37dcaa7470da1331eac6e21b25c~mv2.png/v1/fill/w_1189,h_670,fp_0.50_0.50,q_95,enc_avif,quality_auto/95ec1f_df7cf37dcaa7470da1331eac6e21b25c~mv2.png)
![[April 4th Week, 2026] Top 3 Incidents at Japanese Companies: Simultaneous Multiple Attacks on Unauthorized Access, Ransomware, and Overseas Bases PIPELINE](https://static.wixstatic.com/media/95ec1f_d9fa7aad0cbd48fca7833df843dffbd0~mv2.png/v1/fill/w_1189,h_670,fp_0.50_0.50,q_35,blur_30,enc_avif,quality_auto/95ec1f_d9fa7aad0cbd48fca7833df843dffbd0~mv2.png)
![[April 4th Week, 2026] Top 3 Incidents at Japanese Companies: Simultaneous Multiple Attacks on Unauthorized Access, Ransomware, and Overseas Bases PIPELINE](https://static.wixstatic.com/media/95ec1f_d9fa7aad0cbd48fca7833df843dffbd0~mv2.png/v1/fill/w_1189,h_670,fp_0.50_0.50,q_95,enc_avif,quality_auto/95ec1f_d9fa7aad0cbd48fca7833df843dffbd0~mv2.png)
![[April 2026] Top 4 Emerging Cyber Threats Targeting Japanese Companies | Axios Supply Chain Attack, Cisco IMC Vulnerability PIPELINE](https://static.wixstatic.com/media/95ec1f_444d5f1681284ae29889ade51a5956ce~mv2.png/v1/fill/w_1189,h_670,fp_0.50_0.50,q_35,blur_30,enc_avif,quality_auto/95ec1f_444d5f1681284ae29889ade51a5956ce~mv2.png)
![[April 2026] Top 4 Emerging Cyber Threats Targeting Japanese Companies | Axios Supply Chain Attack, Cisco IMC Vulnerability PIPELINE](https://static.wixstatic.com/media/95ec1f_444d5f1681284ae29889ade51a5956ce~mv2.png/v1/fill/w_1189,h_670,fp_0.50_0.50,q_95,enc_avif,quality_auto/95ec1f_444d5f1681284ae29889ade51a5956ce~mv2.png)
