daily plain-text briefing: security, markets, business, and pittsburgh
Federal agents and Google tore down Outsider Enterprise, a China-based AI-powered phishing service running a million malicious URLs, as Washington let its Section 702 surveillance authority lapse for the first time.
Emerging Trends
AI Crackdown: Law enforcement and vendors moved hard against AI-enabled crime as the FBI dismantled the Gemini-fueled Outsider phishing kit, while a researcher used Claude Opus 4.8 to find a critical Zcash flaw, showing AI cuts both ways.
Dormant Flaws: Decade-old defects keep surfacing, with phpBB patching a ten-year authentication bypass that grants admin login, echoing the long-buried bugs found this week in Linux login software and Check Point VPNs.
Supply Chain: Registry defenders are rewriting defaults, as npm 12 will stop running dependency install scripts automatically, the same vector behind this week's Arch Linux package hijacks.
Surveillance Politics: Government intelligence powers face open contest, with Section 702 of FISA lapsing amid congressional deadlock and Bernie Sanders pressing the question of who controls AI.
Security
Ransomware and Cybercrime
1. FBI Dismantles Outsider Phishing-as-a-Service
[cybercrime, phishing, ai]
Latest developments: The FBI, working with Google and Black Lotus Labs, seized and dismantled Outsider Enterprise, escalating from Google's earlier lawsuit to a full takedown of thousands of phishing sites spanning roughly a million URLs.
read more
Outsider Enterprise ran a phishing-as-a-service kit out of China, weaponizing Google's Gemini to mass-produce scam texts and fraudulent websites that harvested credit card numbers and passwords from Americans. Operators rented the toolkit to blast smishing links across a million URLs. The coalition shut down the infrastructure and exposed the network behind it. Defenders should block known Outsider domains and warn staff about credential-stealing text lures.
Latest developments: A federal court sentenced a former IT employee of an Iowa school district to 21 months in prison for a prolonged cyberattack on his ex-employer.
read more
The insider deleted accounts, disrupted classroom operations, and ran up tens of thousands of dollars in damage after leaving the district. The case turns on access that outlasted his employment. It underscores the danger of credentials that survive a departure. Organizations should revoke accounts the moment staff exit.
Latest developments: Section 702 of the Foreign Intelligence Surveillance Act lapsed for the first time since its 2008 passage after Congress deadlocked, halting a cornerstone US foreign-intelligence collection program.
read more
Section 702 lets US agencies collect the communications of foreign targets abroad, a backbone of signals intelligence that also sweeps in Americans' data and has drawn privacy fights for years. Legislative deadlock let the authority expire outright. Intelligence agencies lose a key surveillance tool until Congress reauthorizes it. The lapse leaves ongoing collection in legal limbo.
Latest developments: Npm announced that version 12 will stop running dependency lifecycle scripts on install by default, requiring developers to explicitly allow them.
read more
Supply chain attackers have long abused npm's automatic execution of install scripts to run malware the moment a developer pulls a package. Npm 12 flips the default so install no longer executes those scripts unless whitelisted. The change blunts a favorite infection vector behind recent registry compromises. Developers relying on legitimate post-install scripts must opt them back in.
Latest developments: Researcher Taylor Hornby disclosed a critical vulnerability in Zcash's Orchard shielded pool, found on May 29 using Claude Opus 4.8, and the Zcash team patched it.
read more
Orchard is Zcash's newest privacy system for shielded transactions, live since 2022. The Zcash team hired Hornby to hunt for exactly this class of bug, and he found a critical one fast with AI assistance. Developers fixed it before any known exploitation surfaced. Zcash holders should move to the patched software.
Latest developments: phpBB fixed a ten-year-old authentication bypass that let an attacker log in as any user, administrators included.
read more
phpBB is widely deployed open-source forum software running countless community sites. The flaw lurked for a decade and allowed full account takeover, including admin access. Maintainers shipped a patch. Forum operators should upgrade at once.
Latest developments: Maine took its public data breach notification portal offline after fraudsters published fake breach disclosures on the state website.
read more
Maine runs a public portal where companies file data breach reports and citizens read them. Bad actors submitted bogus disclosures that the state published, undermining trust in the record. Officials pulled the portal and launched a review of submission controls. The episode exposes weak validation on government self-service intake.
Israel struck Hezbollah targets in Beirut's southern outskirts on Sunday, and Iran threatened to walk away from talks to end its war with the United States, imperiling a ceasefire President Trump expected to firm up within days. Trump publicly rebuked the strikes as a disproportionate response that could scuttle the deal. (WSJ World News · FT World)
US headline inflation reached 4.2 percent, the highest since April 2023, just as Kevin Warsh prepares to chair his first Federal Reserve meeting this week. The timing sets an early test of how the new chair weighs renewed price pressure against political demands for lower rates. (FT Markets · FT World)
China launched a cross-border digital payments platform backed by the central banks of Hong Kong, Thailand, the United Arab Emirates, and Saudi Arabia, its most concrete move yet to build settlement rails that route around the dollar. (FT World)
Pittsburgh
Weather
Today: Chance Showers And Thunderstorms, high 84F.
Tonight: Showers And Thunderstorms then Mostly Cloudy, low 56F.
Monday: Mostly Sunny, high 71F.
Business
Alcosan began a billion-dollar tunnel beneath the Ohio River, the first piece of a 10-year program to overhaul the region's sewer and stormwater system and cut overflows into Pittsburgh's rivers. (Pittsburgh Post-Gazette)
Allegheny County weighs a paid parental leave mandate, and business groups warn the cost and administrative load could fall hardest on small employers. (Pittsburgh Post-Gazette)
Pennsylvania issued a quarantine order on farm animals as the New World screwworm, a flesh-eating parasite, spread through southwestern states, putting livestock producers on alert. (Pittsburgh Post-Gazette)
Around Town
Forecasters flagged Sunday as an impact day across western Pennsylvania, with scattered afternoon thunderstorms capable of damaging winds between 3 and 8 p.m. before drier, cooler air settles in overnight. (WTAE)
A $10.57 million improvement project will restrict traffic on a Hampton Township roadway for more than a month, covering drainage upgrades, milling, paving, and base repairs. (WPXI)
Pennsylvania's crime victim services face funding cuts as white-collar prosecutions, whose fines bankroll the programs, dropped under the Trump administration. (Pittsburgh Post-Gazette)
Nara Organics recalled baby formula sold at Target after a multistate infant botulism outbreak; the rare illness strikes babies under a year old when ingested spores produce a toxin in the immature gut. (WPXI)
Events
West Virginia's baseball team faces North Carolina on Sunday evening in the Men's College World Series in Omaha, the Mountaineers carrying a six-game winning streak after their first-ever series win. (KDKA)
The Stroller's June 14 column rounds up upcoming nonprofit fundraisers, club meetings, and community events across the Alle-Kiski Valley. (TribLive)
Marlins beat the Pirates 8-3 for their 6th straight victory
Reading
Ed Zitron — Premium: The Silicon Valley Bubble (Part 1). Zitron argues the AI era is nearing its end, reading the simultaneous IPO filings of OpenAI and Anthropic as a race for exit liquidity by two firms that burn billions a year with no path to profit.
Stratechery — An Interview with Ben Bajarin About Apple, AI, and Compute. Thompson and analyst Ben Bajarin take stock of Apple's WWDC and the broader scramble for AI compute capacity, weighing what Apple's newly shipped Intelligence means for the industry.
Cal Newport — Why Isn’t AI Taking Our Jobs?. Newport challenges the favorite analogy of AI executives, that their technology will eliminate cognitive jobs the way machines eliminated manual ones, and digs into why the predicted wave of displacement has not arrived.