🎓 Canvas breach creates finals-week disruption across education
Instructure, the company behind Canvas, said it reached an agreement with the hackers behind a cyberattack that disrupted students and faculty during finals. The company said the stolen data was returned and that it received “digital confirmation” the remaining copies were destroyed, though it also acknowledged there is no way to be completely certain when dealing with cybercriminals. The breach reportedly involved student IDs, names, email addresses, and Canvas messages, while ShinyHunters claimed data tied to nearly 9,000 schools and 275 million individuals. Nothing says academic excellence like negotiating with hackers while everyone is trying to submit final papers.
👉️ Key takeaway: Education platforms are operationally critical systems now, not just “school software.” Incident response plans need to treat them like core infrastructure.

🔑 Braintrust tells every customer to rotate sensitive AI API keys
AI evaluation startup Braintrust confirmed unauthorized access to one of its AWS cloud accounts that contained customer API keys used to access cloud-based AI models. The company told every customer to revoke and replace API keys stored with Braintrust, even though it said it had only communicated with one impacted customer and had not found evidence of broader exposure. That is the right move, but also the kind of email that instantly makes every security team’s coffee taste worse.
👉️ Key takeaway: AI tooling is now part of the software supply chain. Treat stored model keys like production secrets, because attackers certainly will.

🐧 Ubuntu and Canonical services hit by DDoS outage
Ubuntu and Canonical services were disrupted after hacktivists claimed responsibility for a DDoS attack against public-facing infrastructure. Canonical said its web infrastructure was under a sustained cross-border attack, affecting services Ubuntu users rely on. The reported attack was not exotic, but that is exactly the point: basic denial-of-service pressure can still create real disruption when it lands on widely used infrastructure. Sometimes the internet’s oldest tricks still work because the internet is held together by load balancers and hope.
👉️ Key takeaway: DDoS resilience still matters, especially for vendors supporting widely used developer and open-source ecosystems..

50+ step-by-step AI tutorials to cut your workload in half — covering every part of your workday, from emails to strategy, used by 1M+ professionals at Google, Microsoft, and NASA

Superhuman AI newsletter (4 min daily) so you keep discovering new AI tools and skills to stay ahead in your career — the playbook is just the start

🌐 Critical cPanel flaw sparks mass exploitation frenzy
A critical authentication-bypass flaw in cPanel, WHM, and WP Squared products has come under heavy exploitation shortly after disclosure. The bug, CVE-2026-41940, carries a critical 9.8 CVSS score and can allow attackers to gain administrative access and take over servers and hosted sites. Censys saw roughly 15,000 potentially compromised instances within the first 24 hours after disclosure, with some attacks dropping Mirai variants and others using ransomware. Patch windows are now less “when we get to it” and more “before lunch, ideally.”
👉️ Key takeaway: Internet-exposed admin panels remain high-value targets. Patch critical hosting infrastructure fast, then verify compromise did not already happen.

📱 CISA gives agencies four days to patch exploited Ivanti EPMM flaw
CISA ordered federal agencies to patch CVE-2026-6973, an Ivanti Endpoint Manager Mobile flaw exploited as a zero-day, within four days. Ivanti said the bug allows attackers with administrative privileges to remotely execute code on affected on-prem EPMM systems, and Shadowserver was tracking more than 800 exposed appliances. Ivanti said exploitation appeared limited, but “limited exploitation” has a funny way of becoming “board update” when exposed appliances stay online.
👉️ Key takeaway: Exposed Ivanti EPMM systems should be patched immediately, and admin accounts should be reviewed and rotated where needed.

🐧 Linux “Copy Fail” flaw exploited to gain root
CISA warned that attackers have started exploiting the “Copy Fail” Linux vulnerability, tracked as CVE-2026-31431. The flaw affects the Linux kernel’s algif_aead cryptographic interface and can let unprivileged local users gain root on unpatched systems. Researchers said the exploit worked reliably against Ubuntu, Amazon Linux, RHEL, and SUSE, and warned that mainstream Linux distributions shipped since 2017 may be in scope. Nothing like a root bug with a nostalgia tour.
👉️ Key takeaway: Prioritize kernel updates on Linux endpoints and servers, especially multi-user systems, cloud workloads, and internet-facing hosts.

🧩 Checkmarx Jenkins plugin compromised with infostealer
A rogue version of the Checkmarx Jenkins AST plugin was published to the Jenkins Marketplace after attackers used credentials stolen from a prior Trivy supply-chain attack. Checkmarx said attackers were able to interact with its GitHub environment and publish malicious code to certain artifacts. Users who downloaded the malicious Jenkins plugin were told to assume credentials were compromised, rotate secrets, and investigate for lateral movement or persistence. CI/CD pipelines are great because they automate everything, including sometimes your bad day.
👉️ Key takeaway: Treat compromised build plugins as serious supply-chain incidents. Rotate secrets, inspect pipeline activity, and verify downstream artifacts.

🚗 GM to pay $12.75M in California driver-data privacy settlement
General Motors agreed to pay $12.75 million to settle California allegations that it collected, stored, and sold driver data without proper consent. The settlement requires GM to pause sales of driving data to consumer reporting agencies for five years and delete certain driving data after 180 days unless consumers affirmatively consent. California officials said GM sold data to LexisNexis and Verisk, including information collected through OnStar. The modern car is apparently part vehicle, part rolling data broker, and part privacy lawsuit with cupholders.
👉️ Key takeaway: Connected-product data collection needs clear consent, retention limits, and third-party sharing controls before regulators decide to explain it for you.

📺 Texas sues Netflix over alleged data-sharing practices
Texas sued Netflix, alleging the company collected and shared subscriber data with advertisers and data brokers without proper consent. The lawsuit claims Netflix tracked viewing habits, devices, household networks, app usage, behavioral data, and children’s profile activity. Texas is also asking a judge to stop allegedly unlawful collection and sharing, and to prevent Netflix from using autoplay by default on kids’ profiles. Streaming was supposed to replace cable, not become a data science group project with snacks.
👉️ Key takeaway: Privacy risk is moving deeper into product telemetry, adtech, and children’s data. Legal, security, and product teams need to be in the same room before regulators invite themselves in.

🔥 Palo Alto zero-day exploited in likely state-sponsored campaign
Palo Alto Networks disclosed exploitation of CVE-2026-0300, an unauthenticated remote-code-execution flaw affecting the User-ID Authentication Portal on PA and VM series firewalls. SecurityWeek reported that Unit 42 linked exploitation to a likely state-sponsored group, with evidence pointing toward China-linked tradecraft. Attackers reportedly used root privileges, cleaned logs, deployed tooling, and targeted Active Directory using the firewall’s service account credentials. The perimeter device was not just the front door here, it was the attacker’s lobby pass.
👉️ Key takeaway: Firewall compromise needs to trigger identity review, log validation, and internal recon checks. Do not stop at patching the box.

🎭 Iranian government hackers use Chaos ransomware as cover
Researchers say Iranian state-linked hackers tied to MuddyWater used Chaos ransomware as cover for espionage and data theft. Rapid7 found that an intrusion initially looked like a ransomware incident but later showed technical links to Iran’s Ministry of Intelligence and Security. The attackers reportedly used Microsoft Teams social engineering, remote management tooling, credential collection, and extortion threats. Ransomware is increasingly being used as a mask, because apparently espionage now comes with branding.
👉️ Key takeaway: Do not assume every ransomware-labeled incident is financially motivated. Attribution, access paths, and data-theft objectives still matter.

💿 Suspected Chinese-language hackers backdoor Daemon Tools
Kaspersky researchers said they found a malicious backdoor planted in Daemon Tools, a long-running Windows disc imaging tool. The campaign reportedly affected thousands of Windows computers, with follow-on malware deployed against targets in retail, scientific, manufacturing, and government environments. Kaspersky linked the activity to a Chinese-language-speaking group and said the supply-chain attack appeared active at the time of reporting. Once again, trusted software distribution is the magic tunnel attackers would very much like everyone to ignore.
👉️ Key takeaway: Monitor trusted software updates and installer behavior, especially for tools used broadly across technical workstations and admin environments.

Hosting, SEO, analytics, and payments built in

🧠 Google spots AI-developed zero-day before mass exploitation
Google researchers identified a zero-day exploit that they say was developed with heavy AI involvement and alerted the affected vendor before a mass-exploitation campaign could begin. The vulnerability affected a popular open-source web administration tool, though Google did not name the product or the cybercrime group preparing to use it. Researchers said the exploit code contained AI-like artifacts, including highly annotated Python code and a hallucinated non-existent CVSS score. Even the exploit apparently had AI slop in the margins.
👉️ Key takeaway: AI-assisted exploit development is no longer theoretical. Detection teams should expect faster weaponization and weirder artifacts in attacker code.

⏱️ U.S. officials consider three-day patch deadline as AI speeds exploitation risk
Reuters reported that U.S. cyber officials are considering cutting federal deadlines for fixing actively exploited vulnerabilities from weeks to three days. The discussions are driven by concern that newer AI models can accelerate vulnerability discovery and exploitation, compressing timelines from weeks or days to hours in some cases. Experts also warned that tighter deadlines may run into practical limits around staffing, readiness, and remediation capacity. Translation: the patch clock may be getting faster, whether your change window likes it or not.
👉️ Key takeaway: Organizations should pressure-test whether they can identify, prioritize, test, and patch exploited vulnerabilities in days, not weeks.