Instagram AI Support Hack Hits 20,225 Accounts; AI Worm 'Hades' Lies to Security Tools; Chrome Zero-Day Patch

Host David Shipley reports Meta says 20,225 Instagram accounts were hijacked after an AI support tool was tricked into sending reset links to attacker-controlled emails, with only MFA-protected accounts resisting. Step Security details a new Miasma-derived worm wave called Hades that targets config files for 14 AI coding tools, can inject instructions to hijack assistants, lies to AI security tools, and includes a "dead man switch" wipe if stolen GitHub tokens are revoked; Microsoft also removed some GitHub repos after 73 open-source projects were compromised to inject an info stealer. University of Toronto and Vector Institute researchers demonstrated an AI worm using a free local model that spread across a simulated network via known flaws and misconfigurations. Google issued an emergency Chrome patch for actively exploited CVE-2026-11645 in V8, and insurers are tightening claims scrutiny and increasingly excluding AI-related liabilities.

00:00 Instagram AI Hack Fallout
01:36 AI Worm Hades Evolves
02:55 Microsoft Repo Compromise
03:54 Lab Built AI Worm Demo
05:27 Emergency Chrome Zero Day
07:07 Cyber Insurance Tightens Up
08:02 AI Liability Coverage Shrinks
09:16 Wrap Up and Sign Off

TClaude Outage Data Leak Fears, Microsoft GitHub Worm, IBM Hack Allegations, Meta AI Instagram Takeovers, and Canada's Bill C-8

David Shipley reports that Anthropic's Claude suffered a roughly two-hour outage affecting models including Opus, during which a user alleged receiving another customer's conversation; Anthropic says it has no evidence of a data leak and is investigating. A Team PCP self-spreading worm, Miasma, infected 73 Microsoft GitHub repositories across four accounts and now triggers via AI coding assistants when developers open cloned projects. A former IBM threat-intel executive, William Barlow, alleges IBM was hacked three times by foreign governments (including APT10 from 2013–2016) and concealed it; IBM denies wrongdoing and the claims are unproven. TechCrunch reports attackers hijacked Instagram accounts by persuading Meta's support chatbot to relink accounts to attacker emails, with ongoing reports despite Meta saying it's fixed. Canada's Senate passed critical-infrastructure cybersecurity law Bill C-8, mandating rules and incident reporting for telecom, finance, energy, and transportation.

00:00 Top Headlines Rundown
00:37 Claude Outage Data Leak Fears
02:17 Miasma Worm Hits Microsoft
03:52 IBM Breach Cover Up Claims
05:25 Meta AI Hands Over Instagram
06:40 Why Chatbots Fail Social Engineering
07:44 Canada Passes C-8 Cyber Law
09:58 Wrap Up and Sign Off

Host Jim Love and panelists David Shipley, Laura Payne, and Jeff Williams discuss a researcher ("Chaotic/Nightmare Eclipse") publicly disclosing multiple Windows zero-days affecting components including Defender and BitLocker, frustration with Microsoft's vulnerability disclosure process, and backlash to Microsoft's initially threatening tone before it was partially walked back; the panel debates responsible disclosure, the need for researcher support/organization, transparency vs liability, and how vulnerability reporting is straining under volume. They then examine a White House AI executive order focused on voluntary measures and 30-day model access, criticizing the lack of basic safety and cybersecurity protections amid FOMO about losing to China and an AI investment bubble. The conversation covers AI-driven harms and studies on reduced brain activity and "cognitive surrender," while noting benefits when AI is used as a tutor. Shipley highlights Canada's Senate passing Bill C-8 on critical infrastructure cybersecurity, and the group urges outcome-focused security, architecture/risk prioritization, and critical thinking against AI-enabled social engineering.

Cybersecurity Today would like to thank Material Security for sponsoring this podcast. Material Security provides faster, more complete detection and response for email, identity, and data threats inside Google Workspace and Microsoft 365. You can contact them at material[dot]security.

00:00 Sponsor Message
00:24 Show Welcome Panel
01:17 Microsoft Zero Day Fallout
04:19 Researcher Backlash Drama
06:46 Unionizing Bug Hunters
13:10 Product Liability Debate
23:23 Regulation vs Transparency
26:00 AI Bubble Investor Risk
28:01 White House AI Order
32:24 Cybersecurity Gaps Telecom
33:19 Telecom Trust Breakdown
34:32 AI Harms and Exploitation
35:36 Studies on Cognitive Surrender
38:13 Markets Regulation and Politics
40:13 Canada Cyber Law Win
42:33 Adoption Hype and Subsidy Bubble
48:50 Patch Deluge and AppSec Strain
52:10 Defenses Beyond Patching
54:17 Outcomes Critical Thinking and CIA
01:01:49 Education Disruption and Closing
01:04:14 Sponsor Message Material Security