AI Worms, Hacks, and Insurance Shifts - Cybersecurity Today

Summary5 min read

Cybersecurity Today — Episode Summary

Episode Title: AI Worms, Hacks, and Insurance Shifts
Host: David Shipley
Date: June 10, 2026

Overview

In this episode, David Shipley discusses the most pressing cybersecurity threats businesses face in 2026, focusing specifically on the impact of AI-powered attacks, a major Instagram AI hack, the evolution of AI worms, a critical Chrome zero-day, and significant changes in the cyber insurance landscape related to AI. The episode is rich in actionable insights and warnings for security professionals, with clear calls to shore up foundational security measures.

Key Discussion Points & Insights

1. Instagram AI Hack Compromises 20,225 Accounts

[00:30] Meta revealed that 20,225 Instagram accounts were hijacked due to a flaw in its AI-powered support tool.
The breach occurred because the AI failed to verify if an email requesting a password reset belonged to the actual account owner.
Quote:

"Letting agentic AI run your support and handing it the keys to reset accounts is asking for this kind of pain right now." — David Shipley [01:20]
Only accounts with multi-factor authentication (MFA) were protected.

2. AI Worms: Miasma Evolves into “Wave Hades”

[02:00] The AI-powered worm, initially known as Miasma, has evolved and is now called “Wave Hades,” per Step Security researchers.
Unique Features:
- Active deception: The worm lies to AI security tools attempting analysis.
- Fires upon project opening in AI code assistants, hijacking with fake instructions.
- Targets config files across at least 14 AI tools (including Claude, Copilot, Gemini, Codex).
- Uses a “digital deadman switch”: revoking a GitHub token triggers a system wipe.
Quote:

"What's new is seeing all three riding together in a fast moving, self-spreading AI powered worm. That's a whole new kind of problem." — David Shipley [03:10]

3. Microsoft & Open Source: Infection Aftermath and Worm Proliferation

[03:45] Microsoft is cleaning up from the Miasma attack: 73 open-source projects on GitHub were found compromised with an information stealer, including the Durable Task Python package.
Attacks originated from Team PCP, known for developing the Shai Hulud AI worm.
These worms and their code have now been widely open-sourced, allowing further derivative threats.

4. Canadian Researchers Build a Self-Spreading AI Worm in the Lab

[05:10] University of Toronto and Vector Institute built a working, self-spreading AI worm using only free, off-the-shelf models and local hardware.
The worm exploited unpatched vulnerabilities, utilized public advisories, and adapted in real-time.
No zero-day exploits required—just “dull” grunt work, now automated.
Quote:

"The window to prepare for these attacks is closing. The danger here isn't a superintelligent attacker. It's that cheap, ordinary AI can now automate the dull known vulnerability. Grunt work at scale—that is the biggest part of advanced persistent threats." — David Shipley, summarizing Nicholas Papernot’s warning [07:00]
Takeaway: Basic security hygiene (patching, configuration, access control) is more critical than ever.

5. Emergency Chrome Zero-Day and Patch Watch

[08:10] Google responded to an out-of-bounds read/write zero-day in the V8 engine (CVE-2026-11645) under active exploitation.
Separate from June’s huge Chrome release (429 flaws patched, with over 100 rated critical or high).
Practical advice:
- Chrome applies patches upon browser restart; users and organizations must relaunch to be protected.
- Treat browser patching as an enterprise-level responsibility, not just individual hygiene.
Quote:

"A browser that's been open for days may still be exposed, relaunch it, and treat browser patching as the enterprise task it's now become—not just routine end user hygiene." — David Shipley [09:30]

6. Cyber Insurance: AI Exclusions and Stricter Claims

[10:20] Cyber insurance premiums are rising, with providers scrutinizing claims more closely.
Claims disputes often hinge on whether MFA was genuinely enabled at the time of the breach—not just claimed on the application.
Stat:
- Average global ransomware claim in 2025: $713,000 (nearly double from the year before).
AI and Insurance:
- Major insurers (AIG, Great American, WR Berkeley) are moving to exclude AI tool liabilities from policies.
- Only “governed” AI systems—those with oversight, rollback, and limits—may remain insurable.
- Experimental, unpredictable AI systems likely won’t be covered.
Quote:

“A bounded, monitored system with a rollback may be insurable. A swarm of autonomous agents with no oversight and no predictability? That's likely going to get you a no.” — David Shipley [12:05] “I'm still not convinced that governed AI is actually a thing, given LLMs at their core are non-deterministic. This one is going to continue to evolve.” — David Shipley [12:40]

Memorable Moments & Quotes

The perils of agentic AI in account support: "Letting agentic AI run your support and handing it the keys to reset accounts is asking for this kind of pain right now." [01:20]
Worms that actively deceive AI: "It doesn't just hide from AI security tools, it actively lies to them." [02:15]
Urgency around cyber hygiene: "The boring basics—patching, configuration, access control—that we still struggle with. They matter more than ever before." [07:30]
Realism about “governed AI”: "I'm still not convinced that governed AI is actually a thing, given LLMs at their core are non-deterministic." [12:40]

Key Takeaways

AI is dramatically expanding the landscape for both attackers and defenders. Automation means even unsophisticated adversaries can cause significant damage via persistent, scalable threats.
Basic security controls (patching, MFA, configuration) remain the front line. AI attackers don’t always need zero-days; unpatched, poorly configured systems are ongoing liabilities.
Cyber insurance is less reliable and more expensive, especially for AI-driven incidents. Security teams need to ensure claims defensibility (e.g., verifiable MFA enforcement) and be aware that many AI-related threats may be uninsurable going forward.
Patch and restart critical software promptly, treating it as a core business function.

Useful Timestamps

Instagram AI hack details: [00:30]
AI worm “Wave Hades” details: [02:00]
Microsoft open-source compromise: [03:45]
Canadian researchers’ AI worm experiment: [05:10]
Chrome zero-day emergency fix: [08:10]
Cyber insurance and AI coverage changes: [10:20]

For cybersecurity professionals, this episode is a stark reminder: while AI supercharges both attacks and defenses, fundamentals and vigilance matter more than ever.

Loading summary

Transcript1 lines

[00:00]
A
20,000 accounts stolen in Instagram AI hack a worm that lies to AI security tools Canadian researchers built an AI worm with a free off the shelf model, an emergency Chrome patch, and why your cyber insurance may quietly stop covering AI. This is Cybersecurity Today and I'm your host David Shipley. Let's get started. We now have the hacked account total from Meta's AI assistant mess up last week, Meta says 20,225 accounts were hijacked, according to Bleeping Computer. Those numbers come from a breach letter Meta filed with Maine's Attorney General. A recap for those who may have missed this story. Instagram's AI powered support tool was tricked into handing over account reset links to to emails that weren't associated with the account. Thanks to a flaw, it never checked that the emails being submitted actually belonged to the account. Attackers supplied their own address, got the reset link and took over. The only accounts this attack didn't work on were ones with multi factor authentication. Letting agentic AI run your support and handing it the keys to reset accounts is asking for this kind of pain right now. There are lots of ways to socially engineer an LLM powered AI staying on the AI thread and on a story we've been tracking for a while. On Monday we covered Miasma, the worm hiding in open source packages to steal developer credentials. It's evolved again. It has a new name and some nasty new tricks. Researchers at Step Security, the firm that found it, call this Wave Hades. Here's what makes this strain stand out. It doesn't just hide from AI security tools, it actively lies to them. The malware can fire the instant a developer opens an infected project in an AI coding assistant, planting fake instructions so the assistant reading the code gets hijacked. Step Security says it targets the config files of 14 different AI tools. Claude, Copilot, Gemini, Codex, and more. Revoke the stolen GitHub token and a background service wipes the machine. It's a digital deadman switch. We've seen each of these tricks alone over the past few years. Malware that lives in memory. Payloads that fool AI analysis code that can wipe a host. What's new is seeing all three riding together in a fast moving, self spreading AI powered worm. That's a whole new kind of problem. And it's where more of these kinds of problems are headed. Meanwhile, Microsoft is still recovering from the Miasma attack that we learned about over the weekend. Microsoft confirmed on Monday that it temporarily removed some GitHub repositories in response to 73 of its open source projects being compromised to inject an information stealer into the code. Among the projects that were infected was Durable Task, a Python package that was first compromised last month by a cybercrime group known as Team PCP to deliver an information stealer designed for Linux systems. It was Team PCP who first built the Shai Hulud AI powered worm that was going around compromising developer packages. They then open sourced that worm and others have since taken over developing derivatives. And now we move from malware in the wild to a lab that shows us where this is all going next. Researchers at the University of Toronto and the Vector Institute built a working AI powered worm, one that spread on its own across a simulated corporate network, adapting its plan as it went. The worm didn't run on Mythos or or any Frontier model for that matter. It ran on a free open large language model on local hardware. And it didn't use a single zero day. It went after exactly what most real attacks already use known unpatched flaws and sloppy configurations. It even pulled in public security advisories on the fly to exploit bugs disclosed after its model was trained. The only good news for now, it's slow. In the test network, it took about five days to reach half the machines, burning hundreds of AI queries per target. But that window narrows as hardware continues to get cheaper and faster. The lead researcher Nicholas Papernot warns the window to prepare for these attacks is closing. The danger here isn't a super intelligent attacker. It's that cheap, ordinary AI can now automate the dull known vulnerability. Grunt work at scale that is the biggest part of advanced persistent threats. Which means the boring basics patching, configuration, access control that we still struggle with. They matter more than ever before. And speaking of known unpatched flaws, here's one to fix today. Bleeping Computer reports Google has shipped an emergency Chrome fix for a zero day under Active Exploitation CVE2026 11645, an out of bounds read write bug in the V8 engine. It's the fifth exploited Chrome zero day this year, and we're only in early June. A specially crafted webpage can trigger it to corrupt memory and run code, and it can be chained to defeat ASLR on the way to a fuller compromise. The patched builds are 14907, 827102 and 103. Security Boulevard reports the emergency fix lands days after Google's regular June release. And that one was huge. Chrome 149 patched 429 flaws well above a normal cycle, and more than 100 of those flaws were critical or high. One angle bug carried a 9.6 on the CVSS severity scale and won someone a $97,000 bounty. Google says none of those 429 bugs it patched were being exploited. The actively attacked zero day is a separate patch on top. A reminder Chrome only applies these patches on restart. A browser that's been open for days may still be exposed, relaunch it, and treat browser patching as the enterprise task. It's now become not just routine end user hygiene. Our last story zooms out from the patch to the growing price tag for insurance. Rates have slid for years and insurers are scrambling to stay profitable, and the result is a harder scrutiny on claims, with policyholders recovering a smaller slice of what a breach actually costs. Here's the part that matters the most for security teams when claims get disputed, the fight often comes down to one key question right now. Was Multi factor authentication actually turned on and enforced when the breach hit? Not did you check the box on the application? If the controls you attested to weren't really in place, your payout may disappear. Cybersecurity dive cites AON figures putting the average global ransomware claim now near $713,000 in 2025. That's almost double the year before. And then there's the impact AI is having on insurance. Several major carriers are quietly backing away from covering AI outputs, carving AI mistakes out of cyber and errors and emissions policies, or pricing them far higher, if you can get that. The reason is simple. They can't trace how many AI tools reached a given result, so they can't price the risk. This trend started late last year when the Financial Times reported that AIG, Great American and WR Berkeley asked U.S. regulators for permission to exclude AI tool liabilities. They're making a distinction between what they will and they won't insure for AI systems. They're looking for governed AI systems and they're looking to avoid experimental ones. A bounded monitored system with a rollback may be insurable. A swarm of autonomous agents with no oversight and no predictability. That's likely going to get you a no. I'm still not convinced that governed AI is actually a thing. Given LLMs at their core are non deterministic. This one is going to continue to evolve. That's Cybersecurity Today for Wednesday, June 10, 2026. I've been your host, David Shipley. Thanks for listening and stay safe out there. We'll be back on Friday with Jim Love on the news destination.