Executive Summary
- Supply chain attacks continue with compromised Checkmarx Jenkins plugin and KICS attack, requiring immediate version verification across all deployments
- First AI-generated zero-day exploit targeting 2FA authentication discovered in the wild, marking significant escalation in attacker capabilities
- Critical cPanel vulnerability (CVE-2026-41940) under active exploitation to deploy persistent backdoors on web hosting infrastructure
- Education sector disrupted by Canvas platform breach affecting schools and universities nationwide with data extortion threats
- Linux kernel privilege escalation vulnerabilities (Dirty Frag) pose widespread risk to enterprise systems requiring urgent patching
Top Threats Today
1. Checkmarx Jenkins Plugin Supply Chain Compromise
Severity: Critical Affected: Technology
TeamPCP has compromised the official Checkmarx Jenkins Application Security Testing (AST) plugin published to the Jenkins Marketplace. The malicious version contains infostealer functionality and was distributed to security teams relying on this trusted tool. Organizations using versions after 2.0.13-829.vc72453fa_1c16 (published December 17, 2025) are at immediate risk of credential and sensitive data exfiltration.
Recommended Action
- Immediately identify all Jenkins instances with Checkmarx AST plugin installed and document current versions
- Downgrade or remove the plugin; verify the safe version 2.0.13-829.vc72453fa_1c16 or earlier is deployed
- Conduct forensic analysis on affected servers for signs of data exfiltration and monitor for suspicious outbound connections
- Rotate all credentials and API tokens that may have been exposed through the compromised plugin
2. AI-Generated Zero-Day 2FA Bypass Exploit
Severity: Critical Affected: Technology
Google disclosed the first known zero-day exploit developed with artificial intelligence for bypassing two-factor authentication. An unknown threat actor leveraged an AI system to discover and weaponize the vulnerability for mass exploitation. This represents a significant escalation in attacker sophistication and marks the first documented use of AI in malicious vulnerability discovery in the wild.
Recommended Action
- Review and strengthen 2FA implementations; consider hardware security keys as primary authentication method
- Monitor authentication logs for anomalous login patterns, particularly successful logins with delayed or missing MFA confirmations
- Implement adaptive authentication policies and behavioral analysis to detect account takeover attempts
- Brief security teams on the emerging threat of AI-assisted exploit development and prepare incident response procedures
3. cPanel CVE-2026-41940 Active Exploitation Campaign
Severity: Critical Affected: Technology
Threat actor Mr_Rot13 is actively exploiting critical vulnerability CVE-2026-41940 in cPanel and WebHost Manager (WHM) to deploy the Filemanager backdoor on compromised web hosting environments. This vulnerability impacts cPanel/WHM deployments and allows persistent unauthorized access, putting thousands of hosted websites and customer data at risk.
Recommended Action
- Patch all cPanel/WHM instances to the latest patched version immediately; prioritize internet-facing systems
- Scan for Filemanager backdoor artifacts and suspicious file modifications in web root directories
- Review cPanel access logs and file integrity monitoring for unauthorized changes or access patterns
- Notify all customers hosted on affected infrastructure and advise them to change passwords and review account activity
4. Canvas Education Platform Extortion Campaign
Severity: Critical Affected: Education
Instructure confirmed that hackers exploited a Canvas vulnerability to deface login portals and extort schools and universities nationwide. The attack disrupted classes and coursework across multiple institutions, with threat actors threatening to leak exfiltrated data. This is an active ongoing campaign directly impacting educational continuity.
Recommended Action
- Apply all available security patches for Canvas immediately and enable enhanced authentication monitoring
- Notify user base of the breach and advise password resets; implement forced password changes for affected accounts
- Preserve evidence and engage law enforcement; do not engage with extortion demands
- Implement web application firewall rules to prevent similar defacement attempts and monitor for data exfiltration
5. Dirty Frag Linux Kernel Privilege Escalation
Severity: Critical Affected: Technology
A critical privilege escalation vulnerability dubbed Dirty Frag was discovered in the Linux kernel. Similar to Copy Fail and Dirty Pipe, it allows any user with a basic account to gain full administrative control. The vulnerability is in the same kernel subsystem that produced recent exploits and may already be under limited exploitation in enterprise environments.
Recommended Action
- Inventory all Linux systems and their kernel versions; prioritize enterprise distributions for immediate patching
- Apply kernel security updates from your distribution provider as soon as available
- Monitor system logs for privilege escalation attempts and suspicious sudo/privilege elevation activities
- Test patches in non-production environments first, then deploy across infrastructure according to change management procedures
Today’s Action Checklist
- ☐ URGENT: Verify Checkmarx Jenkins plugin version across all instances; downgrade if necessary and rotate exposed credentials
- ☐ URGENT: Patch cPanel/WHM systems to address CVE-2026-41940; scan for Filemanager backdoor artifacts
- ☐ URGENT: Update Canvas installations and force password resets for all users; monitor extortion communications
- ☐ CRITICAL: Assess Linux kernel versions across enterprise systems and plan Dirty Frag patch deployment
- ☐ CRITICAL: Review and strengthen 2FA implementations; monitor authentication logs for suspicious patterns
- ☐ HIGH: Brief security teams on AI-assisted exploit development and update incident response procedures
- ☐ HIGH: Monitor for Active Directory authentication anomalies; note that password resets alone may not remove persistent attackers
- ☐ HIGH: Review network router configurations for known vulnerabilities; monitor for token harvesting activities