daily plain-text briefing: security, markets, business, and pittsburgh
Last 24h: Google confirmed ShinyHunters exploited CVE-2026-35273, a missing-authentication flaw in Oracle PeopleSoft, and CISA added it to the known exploited vulnerabilities catalog.
The bug lets attackers reach a critical PeopleTools function with no authentication. Oracle has mitigated it, though the company has not publicly confirmed in-the-wild abuse. ShinyHunters used the access to steal gigabytes from hundreds of organizations, hitting American universities hardest. Administrators running PeopleSoft should apply Oracle's fix and hunt for data exfiltration now.
Sources: Ars Technica Security · Dark Reading · SecurityWeek · CISA Advisories
Last 24h: CISA's new Binding Operational Directive 26-04 gives federal agencies until Sunday to patch an actively exploited Ivanti Sentry command-injection flaw as honeypots log exploitation attempts.
The critical OS command-injection bug lets attackers run code with root privileges on Ivanti Sentry gateways. Researchers watching honeypots see attackers probing the flaw, a sign of broad opportunistic scanning. Federal agencies face a three-day deadline under BOD 26-04, and private operators should move on the same urgency.
Sources: BleepingComputer · SecurityWeek
Last 24h: Attackers rewrote build scripts in more than 400 Arch User Repository packages this week to drop a Rust infostealer and an eBPF rootkit.
The AUR is Arch Linux's community package collection, where build scripts run on a user's own machine. The hijacked packages install a Rust binary that harvests developer credentials and access tokens, and with root it loads an eBPF rootkit to hide itself. Developers who built any AUR package this week should rotate secrets and inspect their systems for the rootkit.
Sources: The Hacker News · BleepingComputer
Last 24h: Europol dismantled AudiA6, a crypto-laundering service that washed over €336 million for ransomware gangs, as a Ukrainian pleaded guilty to Conti charges and INTERPOL's Operation Ramz felled the Sniper Dz phishing platform.
AudiA6 laundered more than €336 million (~$389 million) in ransomware and cybercrime proceeds between 2022 and 2025 before authorities seized it. INTERPOL's Operation Ramz arrested 201 people across 13 MENA countries and shut the decade-old Sniper Dz PhaaS platform. A Ukrainian national extradited from Ireland admitted conspiracy tied to Conti, extending the pressure on ransomware money flows.
Sources: Help Net Security · The Hacker News · BleepingComputer
Last 24h: Google sued Outsider Enterprise, a China-based network it accuses of weaponizing its Gemini AI to run a phishing-as-a-service kit that blasted scam texts at Americans.
The operation built the Outsider PhaaS kit and used Gemini to generate phishing sites and scam infrastructure, linked to more than 9,000 fake sites and a million fraudulent URLs. Google estimates hundreds of thousands of victims and millions of dollars in losses. The suit marks a push to wield civil litigation against criminals who industrialize fraud with AI.
Sources: The Hacker News · Help Net Security
Last 24h: Researchers detailed Agentjacking, which tricks AI coding agents into running arbitrary code through fake Sentry error reports, and a LangGraph vulnerability chain enabling remote code execution.
Tenet Security's Agentjacking abuses crafted Sentry error reports to push AI coding agents into executing attacker code on developer machines. Three now-patched LangGraph flaws, including an SQL injection, chain into remote code execution on self-hosted AI agents. The findings show autonomous agents widening the attack surface as they read documents, call APIs, and run code. Teams running self-hosted agents should patch LangGraph and constrain agent execution.
Sources: The Hacker News · The Hacker News
Last 24h: Sygnia disclosed that the China-linked Velvet Ant group backdoored the PAM and OpenSSH components governing Linux logins, hiding for close to ten years.
Velvet Ant planted its access in the authentication layer that decides who may sign in, where routine cleanup could not reach. Sygnia tracks the group as a China-nexus actor built for long-term espionage. Defenders should audit PAM modules and OpenSSH binaries for tampering across critical infrastructure.
Sources: The Hacker News
Last 24h: South Korea fined Coupang a record $409 million over a data breach, a bankruptcy administrator approved a $47 million fund for 23andMe victims, and Novo Nordisk and France's Tchap messenger disclosed new breaches.
Coupang's $409 million penalty is the largest ever from the commission, topping a $88.8 million fine against SK Telecom earlier this year. The 23andMe fund compensates 7 million customers whose genetic data leaked starting April 2023, much of it posted to the dark web. Novo Nordisk, the world's largest insulin maker, exposed clinical-trial patient data, and a breach of France's Tchap encrypted messenger hit over 73,000 public-sector accounts. Regulators and courts keep raising the cost of weak data stewardship.
Sources: The Record · The Record · BleepingComputer · BleepingComputer
Tonight: Mostly Clear, low 60F.
Saturday: Sunny, high 86F.
Saturday Night: Partly Cloudy, low 64F.
PIRATES (35-35) Jun 11: Dodgers 8 Pirates 6 Final Ohtani homers, leaves game with left knee inflammation in Dodgers' 8-6 win over Pirates https://plaintextsports.com/mlb/2026-06-11/lad-pit Jun 12: Marlins 8 Pirates 3 Final https://plaintextsports.com/mlb/2026-06-12/mia-pit Headlines: Marlins bring 5-game win streak into matchup with the Pirates 2026 MLB ABS challenge system tracker: Team, player rankings