Canvas Breach 'Deal' With ShinyHunters, AI Zero-Day Warning, Checkmarx Hit Again

Cybersecurity Today examines a troubling set of new security developments affecting schools, software supply chains, and account security.

Instructure says it reached an "agreement" with the ShinyHunters threat group after the massive Canvas breach that may have affected up to 275 million users across 9,000 educational institutions. Reports indicate attackers exploited multiple cross-site scripting (XSS) vulnerabilities to hijack administrator sessions and post extortion demands.

Checkmarx has been breached again. This time, attackers reportedly inserted a malicious Jenkins Application Security Testing (AST) plugin designed to steal credentials. The same threat actor, believed to be Team46/TeamTNT-linked infrastructure or Team PCP depending on reporting attribution, appears to have reused secrets allegedly stolen in the earlier Trivy supply-chain compromise.

Microsoft and Google are warning organizations not to treat passkeys as a complete security solution. If weaker recovery methods or legacy credentials remain active, attackers can still bypass them.

Google's Threat Intelligence Group also reports what it describes as the first observed evidence of hostile actors using AI to assist in zero-day vulnerability research and exploit development, signalling a new phase in attacker industrialization.

Also in today's show: Santa Clara County sues Meta over alleged scam-ad profits.

Chapters
00:00 Headlines Overview
00:28 Canvas Breach Deal Fallout
01:59 How the XSS Attack Worked
03:15 Checkmarx Supply Chain Attack
05:01 Credential Rotation Lessons
05:37 Why Passkeys Aren't Enough
07:19 Layered Defence Takeaways
08:35 AI-Assisted Zero-Day Development
10:10 Industrialized AI Threats
13:08 Meta Scam Ads Lawsuit
15:19 Wrap Up