infosecfollow

daily plain-text briefing: security, markets, business, and pittsburgh

The FBI dismantled a China-based AI-powered phishing service spanning a million URLs, as Section 702 surveillance authority neared its first-ever lapse.

Emerging Trends

AI Weaponization: Criminals keep bending mainstream models to crime, with the Outsider network steering Google's Gemini to mass-produce scam texts behind a phishing-as-a-service kit.
Dormant Flaws: Two separate disclosures—a ten-year phpBB authentication bypass and Velvet Ant's decade inside Linux login software—show how long a single weakness can sit unnoticed.
Supply Chain: npm's move to stop running dependency scripts by default answers the same threat that hijacked hundreds of Arch Linux AUR packages this week.
AI Tooling: Defenders now lean on frontier models for the work, with a researcher using Claude Opus 4.8 to find a critical Zcash flaw and Microsoft publishing an AI incident-response playbook.

Security

Ransomware and Cybercrime

1. FBI Dismantles Outsider AI Phishing Service

[phishing, ai, takedown]

Latest developments: The FBI, Google, and Lumen's Black Lotus Labs seized the infrastructure behind Outsider Enterprise, escalating beyond Google's civil suit of last week to a coordinated takedown.

Outsider Enterprise sold phishing-as-a-service from China, weaponizing Google's Gemini AI to churn out scam text messages and running thousands of sites across roughly a million URLs to harvest credit card numbers and passwords. The FBI, working with Google and Black Lotus Labs, took down the operation. The action builds on Google's lawsuit naming the same network. Defenders should treat AI-generated smishing as a maturing commodity threat.

Sources: BleepingComputer · The Hacker News

2. Ex-IT Employee Jailed for Attacking School District

[insider, cybercrime]

Latest developments: A federal court sentenced a former IT employee of an Iowa school district to 21 months in prison for a prolonged attack on his old employer.

The former insider mounted a sustained cyberattack against the district after leaving. He deleted accounts, disrupted classroom operations, and caused tens of thousands of dollars in damage. The sentence underscores the persistent risk that departing administrators with lingering access pose. Organizations should revoke credentials promptly when staff leave.

Sources: BleepingComputer

Policy and Regulation

3. Section 702 Surveillance Power Set to Lapse

[policy, surveillance]

Latest developments: A legislative deadlock pushed Section 702 of the Foreign Intelligence Surveillance Act toward its first lapse since Congress passed it in 2008.

Section 702 lets US intelligence agencies collect the communications of foreign targets without a warrant, a power critics say sweeps in Americans' data along the way. With Congress unable to agree on reauthorization, the authority now faces an expiration that has never happened before. Agencies that rely on the program for foreign-intelligence collection confront an abrupt gap in capability.

Sources: The Record

Vulnerabilities and Exploits

4. NPM 12 Halts Dependency Install Scripts

[supply chain, patch]

Latest developments: npm announced that version 12 will stop running dependency install scripts by default, requiring an explicit allowlist to permit them.

Malicious packages routinely abuse install scripts to run code the instant a developer pulls a dependency, the same trick that poisoned hundreds of Arch Linux AUR packages this week. The change forces developers to opt in before any dependency script executes. It blunts one of the most reliable supply-chain vectors. Teams should plan for build pipelines that previously depended on automatic script execution.

Sources: SecurityWeek

5. phpBB Fixes Decade-Old Authentication Bypass

[vulnerability, patch]

Latest developments: Maintainers patched a phpBB authentication bypass that sat in the forum software for ten years and let an attacker log in as any user, administrators included.

phpBB powers countless online community forums. The flaw allowed an attacker to assume any account, including administrator accounts, by sidestepping the login check entirely. Maintainers have shipped a fix. Forum operators should update immediately, since the bug grants full control of vulnerable boards.

Sources: BleepingComputer

6. Critical Zcash Orchard Flaw Found and Fixed

[vulnerability, cryptocurrency]

Latest developments: Researcher Taylor Hornby disclosed a critical vulnerability he found in Zcash's Orchard privacy pool on May 29 using Claude Opus 4.8, and the Zcash team has patched it.

Zcash shields transactions with zero-knowledge proofs, and Orchard, introduced in 2022, is its most advanced shielded pool. The Zcash team hired Hornby to hunt exactly this class of bug, and he surfaced one quickly. The team fixed the flaw before any known exploitation. Holders of the cryptocurrency should update their software.

Sources: Schneier on Security

Data Breaches

7. Maine Pulls Breach Portal After Fake Filings

[breach, policy]

Latest developments: Maine took its public data breach reporting portal offline after fraudsters published fake breach disclosures on the state's website.

Maine runs a portal where companies file the data breach notices that state law requires. Bad actors abused it to post fraudulent disclosures, eroding trust in an official source defenders and victims rely on. The state pulled the portal and began reviewing its procedures to prevent future abuse. The episode shows how open disclosure systems invite manipulation.

Sources: BleepingComputer

Business and Politics

Israel struck Hezbollah targets on Beirut's outskirts in response to drone attacks, and Trump rebuked the strikes as disproportionate, warning they could unravel a deal to end the U.S.-Iran war that both sides had reached after a helicopter-crash escalation pushed them from renewed fighting to the cusp of a ceasefire. (WSJ World News · WSJ World News)
U.S. headline inflation reached 4.2 percent, its highest reading since April 2023, days before Kevin Warsh chairs his first Federal Reserve meeting, where markets will gauge how the new chair balances persistent price pressure against political demands for lower rates. (FT Markets · FT World)
SpaceX completed the largest IPO in history, with roughly $118 million of first-day retail buying helping steady jittery markets, part of a record fundraising wave that also drew Anthropic and Alphabet financings as the capital race behind artificial intelligence intensified. (WSJ Markets · FT World)
China launched a cross-border digital payments platform to challenge the dollar, backed by the central banks of Hong Kong, Thailand, the United Arab Emirates, and Saudi Arabia. (FT World)

Pittsburgh

Weather

Today: Chance Showers And Thunderstorms, high 84F.

Tonight: Showers And Thunderstorms then Mostly Cloudy, low 56F.

Monday: Mostly Sunny, high 71F.

Business

Alcosan has begun a billion-dollar tunnel beneath the Ohio River, the first piece of a 10-year program to overhaul the regional sewer system and curb overflows into Pittsburgh's waterways. (Pittsburgh Post-Gazette)
Allegheny County is weighing a paid parental leave policy, and area businesses warn the cost could strain smaller employers. (Pittsburgh Post-Gazette)
Pennsylvania ordered a quarantine on farm animals as the New World screwworm, a flesh-eating parasite, spreads through southwestern states and threatens livestock. (Pittsburgh Post-Gazette)

Around Town

Scattered thunderstorms will move through western Pennsylvania this afternoon, with damaging winds the main threat between 3 p.m. and 8 p.m. before drier, cooler air settles in overnight. (WTAE)
A $10.57 million project will restrict traffic on a Hampton Township roadway for more than a month, covering drainage upgrades, milling, paving, and base repair. (WPXI)
Nara Organics recalled baby formula sold at Target after a multistate infant botulism outbreak, an illness that strikes babies under a year old when ingested spores produce a toxin in the gut. (WPXI)
Pennsylvania crime victim services face funding cuts as white-collar prosecutions dropped under the Trump administration, shrinking the fines and forfeitures that bankroll the programs. (Pittsburgh Post-Gazette)

Events

The Stroller publishes free listings of upcoming community events, fundraisers, and club meetings across the Alle-Kiski Valley. (TribLive)

Sports

Pirates (36-35)

Sat Jun 13 · Marlins 2 · Pirates 3 · Final

Spencer Horwitz hit by pitch with the bases loaded to lift the Pirates past the Marlins, 3-2

Up Next · Marlins @ Pirates · Sun Jun 14, 12:15 PM

Marlins beat the Pirates 8-3 for their 6th straight victory

Reading

Ed Zitron — Premium: The Silicon Valley Bubble (Part 1). Zitron argues the AI era is ending as OpenAI and Anthropic file to go public, racing for exit liquidity despite burning billions a year with no path to profitability.
Stratechery — Fable 5, Anthropic Alignment, AI Tiers. Thompson examines Fable 5, the public version of Mythos, finding it very capable yet setting troubling precedents, alongside questions of Anthropic's alignment approach and emerging tiers of AI capability.
Cal Newport — Why Isn't AI Taking Our Jobs?. Newport challenges the comparison AI executives draw between their technology and industrial automation, examining why mass job displacement has yet to arrive.

Markets

weekly average, change vs prior week

S&P 500     7,377.03  ▼ -2.2%
Dow        50,725.58  ▼ -0.7%
Nasdaq     25,695.30  ▼ -3.8%
WTI crude      88.42  ▼ -5.0%
EUR/USD       1.1550  ▼ -0.4%
GBP/USD       1.3363  ▼ -0.6%
USD/JPY       160.31  ▲ +0.3%