Canvas Breach 'Deal' With ShinyHunters, AI Zero-Day Warning, Checkmarx Hit Again
5/13/202616 min
Cybersecurity Today examines a troubling set of new security developments affecting schools, software supply chains, and account security.
Instructure says it reached an "agreement" with the ShinyHunters threat group after the massive Canvas breach that may have affected up to 275 million users across 9,000 educational institutions. Reports indicate attackers exploited multiple cross-site scripting (XSS) vulnerabilities to hijack administrator sessions and post extortion demands.
Checkmarx has been breached again. This time, attackers reportedly inserted a malicious Jenkins Application Security Testing (AST) plugin designed to steal credentials. The same threat actor, believed to be Team46/TeamTNT-linked infrastructure or Team PCP depending on reporting attribution, appears to have reused secrets allegedly stolen in the earlier Trivy supply-chain compromise.
Microsoft and Google are warning organizations not to treat passkeys as a complete security solution. If weaker recovery methods or legacy credentials remain active, attackers can still bypass them.
Google's Threat Intelligence Group also reports what it describes as the first observed evidence of hostile actors using AI to assist in zero-day vulnerability research and exploit development, signalling a new phase in attacker industrialization.
Also in today's show: Santa Clara County sues Meta over alleged scam-ad profits.
Chapters
00:00 Headlines Overview
00:28 Canvas Breach Deal Fallout
01:59 How the XSS Attack Worked
03:15 Checkmarx Supply Chain Attack
05:01 Credential Rotation Lessons
05:37 Why Passkeys Aren't Enough
07:19 Layered Defence Takeaways
08:35 AI-Assisted Zero-Day Development
10:10 Industrialized AI Threats
13:08 Meta Scam Ads Lawsuit
15:19 Wrap Up
Transcript preview
First 90 secondsDavid Shipley· Host0:00
Instructure cuts deal with ShinyHunters. Checkmarx hit again in another supply chain attack. Microsoft and Google warn passkeys are not a security silver bullet. And Google reports its first evidence of hostile use of AI to develop a zero day. This is Cyber Security Today, and I'm your host, David Shipley. Let's get started. Instructure, the company behind the massively breached learning platform Canvas, has officially used the word agreement to describe its new arrangement with the criminal group ShinyHunters. In a statement on Tuesday, Instructure confirmed it has reached what it's calling an agreement with the threat actor responsible for the Canvas breach. The Canvas breach affects as many as nine thousand schools worldwide and as many as two hundred and seventy-five million people. According to BleepingComputer, the company says ShinyHunters has returned the stolen data and provided what Instructure calls shred logs confirming its destruction. The agreement covers all impacted customers. The company says no one will need to negotiate separately, and no individual customer will be extorted as a result of this incident. It's worth noting that an agreement with a criminal organization