daily plain-text briefing: security, markets, business, and pittsburgh
Splunk patched a 9.8-severity hole that hands unauthenticated attackers code execution on the monitoring platform security teams lean on, the freshest danger on a day filled with AI-governance fights and self-inflicted data leaks.
Emerging Trends
Pre-Auth RCE: Critical unauthenticated code-execution flaws keep landing in core enterprise software, with Splunk, Oracle PeopleSoft, and Check Point VPN all letting attackers in before any login.
AI Governance: Policymakers and vendors scramble to govern AI, from Senator Sanders's sovereign-wealth proposal to Washington's export curbs on Anthropic to Microsoft's new AI incident-response playbook.
Long Dormancy: Defenders keep uncovering flaws and intruders that sat undisturbed for a decade, including phpBB's authentication bypass and Velvet Ant's grip on Linux logins.
Human Error: Self-inflicted exposure rivals hacking, as a redaction slip leaked Argentina's World Cup passports and fraudsters seeded fake filings into Maine's breach portal.
Enforcement Wins: Law enforcement pressed cybercrime hard, with the FBI dismantling the Outsider phishing service, a Conti operator pleading guilty, and Europol felling the AudiA6 laundering network.
Security
Vulnerabilities and Exploits
1. Splunk Enterprise Pre-Auth Code Execution Flaw
[patch, rce]
Latest developments: Splunk shipped patches for CVE-2026-20253, a 9.8-severity flaw that lets an unauthenticated attacker create or truncate arbitrary files and run code on Splunk Enterprise.
read more
The bug hits Splunk Enterprise versions below 10.2.4 and 10.0.7, where an unauthenticated user performs arbitrary file operations that escalate to remote code execution. Splunk runs at the heart of many security operations centers, so a compromise hands attackers the monitoring platform itself. Administrators should upgrade to 10.2.4 or 10.0.7 at once and lock down management-interface exposure.
Latest developments: SecurityWeek reported accusations that IBM and AT&T concealed past hacks from the public, alongside news that Google cut staff from its security organization.
read more
The roundup surfaces claims that IBM and AT&T hid security incidents from customers and regulators, conduct that breach-notification laws penalize. Google laid off members of its security team even as attack surfaces widen. The same dispatch flagged flat industrial-control-system exposure and a fresh Microsoft incident-response playbook for AI.
Latest developments: A botched document redaction exposed the passport numbers of Lionel Messi and the rest of Argentina's World Cup squad before the tournament kicked off.
read more
Someone published a team document without properly redacting it, spilling players' passport details to anyone who looked. No hacker touched the file; the leak came from ordinary human error, a recurring source of data exposure. The episode shows how a redaction slip exposes sensitive identity data as reliably as any breach.
Latest developments: Senator Bernie Sanders, in a New York Times essay, proposed an AI sovereign wealth fund and warned that a handful of billionaires steer artificial intelligence with little democratic input.
read more
Sanders argues that the people building and profiting from AI wield power that escapes public accountability, and he wants a sovereign-wealth structure to spread the gains. Security commentator Bruce Schneier amplified the question through the lens of his book on rewiring democracy. The proposal widens a policy fight over who governs AI, days after Washington forced Anthropic to pull two models over export concerns.
Latest developments: Palo Alto's Unit 42 disclosed a previously unknown macOS Tahoe 26 artifact that records a user's menu selections across the operating system.
read more
The artifact logs which menu items a user picks system-wide, giving investigators a fresh timeline of on-device activity. Forensic analysts and incident responders can mine it to reconstruct what someone actually did on a Mac. Defenders gain a new evidence source, and the same trail could expose user behavior in ways privacy-minded owners never anticipate.
Israel struck Hezbollah targets in Beirut's outskirts after drone attacks, and Iran threatened to abandon talks, endangering a near-final deal to end the U.S.-Iran war; President Trump rebuked Israel for a response he called disproportionate. (WSJ World News · FT World)
SpaceX completed the largest IPO in history, and do-it-yourself traders bought $118 million of the stock on day one, steadying shaky markets; the deal capped a record Wall Street fundraising run alongside Anthropic and Alphabet financings. (WSJ Markets · FT Markets)
U.S. headline annual inflation reached 4.2 percent, the highest since April 2023, raising the stakes for Kevin Warsh's first meeting this week as Federal Reserve Chair. (FT Markets · FT World)
China launched a cross-border digital payments platform to challenge the dollar, backed by the central banks of Hong Kong, Thailand, the United Arab Emirates, and Saudi Arabia. (FT Markets)
Pittsburgh
Weather
Today: Chance Showers And Thunderstorms, high 84F.
Tonight: Showers And Thunderstorms then Mostly Cloudy, low 56F.
Monday: Mostly Sunny, high 71F.
Business
Alcosan began a billion-dollar Ohio River tunnel, the first piece of a 10-year program to overhaul Pittsburgh's sewer and stormwater system and reshape the region's waterways. (Pittsburgh Post-Gazette)
Allegheny County weighs a paid parental leave mandate, and area businesses warn it would raise their costs, pressing concerns before the policy advances. (Pittsburgh Post-Gazette)
Pennsylvania issued a quarantine order on farm animals as the New World screwworm, a flesh-eating livestock parasite, spreads through southwestern states, reviving a threat the U.S. had contained for decades. (Pittsburgh Post-Gazette)
Around Town
A $10.57 million project will restrict traffic on a Hampton Township roadway for more than a month, delivering drainage upgrades, milling, paving, and base repairs. (WPXI)
Nara Organics recalled baby formula sold at Target after a multistate infant botulism outbreak; the rare illness strikes babies under age 1 when ingested spores produce a toxin in the gut. (WPXI)
Pennsylvania crime victim services face funding cuts as white-collar prosecutions dropped under the Trump administration, shrinking the fee revenue that pays for them. (Pittsburgh Post-Gazette)
Scattered thunderstorms hit western Pennsylvania this afternoon, with damaging winds the main hazard between 3 and 8 p.m.; the rain clears east by 9 or 10 p.m. as drier, cooler air follows. (WTAE)
Events
West Virginia's baseball team, winners of six straight and fresh off the program's first-ever tournament victory, plays North Carolina tonight in the Men's College World Series in Omaha. (KDKA)
Marlins beat the Pirates 8-3 for their 6th straight victory
Reading
Ed Zitron — Premium: The Silicon Valley Bubble (Part 1). Zitron argues the AI era is ending, pointing to OpenAI and Anthropic both filing to go public as a race for exit liquidity despite burning billions a year with no path to profitability.
Stratechery — Fable 5, Anthropic Alignment, AI Tiers. Thompson examines Fable 5, the public version of Mythos, finding it very capable yet setting troubling new precedents around alignment and tiered AI access.
Cal Newport — Why Isn’t AI Taking Our Jobs?. Newport challenges the AI industry's comparison of its technology to industrial automation, asking why AI has yet to eliminate cognitive work the way machines replaced manual labor.