daily plain-text briefing: security, markets, business, and pittsburgh
Defenders harden the software supply chain and turn AI loose on their own code, even as the same technology fuels the phishing machines law enforcement keeps tearing down.
Latest developments: npm 12 will stop running install scripts from dependencies unless a developer explicitly allows each one.
Today npm install runs the lifecycle scripts a package defines, the exact mechanism attackers abuse to execute code the moment a developer pulls a poisoned dependency. Version 12 flips the default so those scripts stay dormant until a developer opts in per package. The change goes after the install-time execution behind a string of JavaScript ecosystem compromises. Teams should expect builds that genuinely need scripts to declare them.
Sources: SecurityWeek
Latest developments: Researcher Taylor Hornby, working with Claude Opus 4.8, found a critical vulnerability in the Zcash Orchard privacy pool on May 29, and the Zcash team fixed it.
Orchard, Zcash's newest privacy pool, arrived in 2022 to let users send shielded transactions. The Zcash team hired Hornby specifically to hunt for flaws, and he surfaced a critical one fast with help from Claude Opus 4.8. Developers patched it. Anyone holding Zcash should confirm they run the corrected software.
Sources: Schneier on Security
Latest developments: A court sentenced a former Iowa school district IT employee to 21 months in prison for a prolonged attack that deleted accounts and disrupted classrooms.
The former administrator kept access after leaving and used it to wage a drawn-out attack on the district, deleting accounts, halting classroom operations, and running up tens of thousands of dollars in damage. The 21-month sentence measures the harm a trusted insider with lingering credentials still inflicts. Organizations should cut departing staff access the day they leave and watch privileged accounts for abuse.
Sources: BleepingComputer
Latest developments: Unit 42 disclosed a previously unknown macOS Tahoe 26 forensic artifact that records the menu selections a user makes across the operating system.
Palo Alto's Unit 42 found that macOS Tahoe 26 logs user menu selections throughout the system, a trail investigators can mine to reconstruct what someone did during an incident. The artifact hands forensic analysts a finer record of intent on a Mac. Defenders writing macOS investigation playbooks should fold it into their collection routines.
Sources: Unit 42 (Palo Alto)
Latest developments: Trump publicly rebuked Israel and ordered Israel and Hezbollah to stand down after the Beirut strike, insisting the U.S.-Iran deal to reopen the Strait of Hormuz can still close Sunday.
Israel hit what it called a Hezbollah command center on Beirut's outskirts, and Iran threatened to abandon the U.S. talks and retaliate. President Trump told both sides to halt attacks, racing to finalize an agreement that would end the U.S.-Iran war and reopen the Strait of Hormuz.
Sources: WSJ World News · FT World
Latest developments: Beijing unveiled a cross-border currency platform backed by the central banks of Hong Kong, Thailand, the UAE, and Saudi Arabia, its most concrete move yet to cut reliance on the dollar.
China teed up a digital payments system to settle cross-border transactions outside dollar channels, drawing in Gulf and Southeast Asian central banks. The platform advances Beijing's long campaign to internationalize the yuan and blunt the reach of U.S. financial sanctions.
Sources: FT Markets
This Afternoon: Showers And Thunderstorms Likely, high 84F.
Tonight: Showers And Thunderstorms then Mostly Cloudy, low 56F.
Monday: Partly Sunny, high 71F.
Latest developments: Nara Organics recalled infant formula sold at Target and online after a multistate infant botulism outbreak.
Federal regulators linked the formula to infant botulism cases across several states. The recall covers products sold in Target stores and online, and parents should stop using affected lots.
Sources: Pittsburgh Post-Gazette · WTAE
Latest developments: Pennsylvania issued a quarantine order on farm animals as it tracks New World screwworm cases spreading through southwestern states.
The flesh-eating parasite, contained for decades, has resurged in the U.S. Pennsylvania's order restricts animal movement to keep the pest out of the state's livestock.
Sources: Pittsburgh Post-Gazette
Latest developments: A $10.57 million improvement project will restrict traffic on a Hampton Township roadway for more than a month.
The work covers drainage upgrades, milling and paving, and base repair. Drivers face restrictions through the duration of the job.
Sources: WPXI
Latest developments: A new report found nearly half of Pennsylvania's educator preparation programs fail to adequately train future teachers in how to teach reading.
The finding lands as states overhaul reading instruction through new laws. The gap touches the colleges that supply Pennsylvania's classroom teachers.
Sources: TribLive
Latest developments: The festival, June 26 and 27, opens free daytime programming even as its guided nocturnal firefly sightings have sold out.
The 14th annual Pennsylvania Firefly Festival runs Friday and Saturday, June 26 and 27, in Tionesta, in the Allegheny National Forest, about 100 miles north of Pittsburgh. The guided nighttime viewings are booked, though free daytime nature exhibits, music, and activities remain open. The forest holds at least 15 firefly species, all glowing this time of year.
Sources: NEXTpittsburgh Events
Pirates (36-36)
Sat Jun 13 · Marlins 2 · Pirates 3 · Final
Spencer Horwitz hit by pitch with the bases loaded to lift the Pirates past the Marlins, 3-2
Sun Jun 14 · Marlins 4 · Pirates 2 · Final
Meyer outduels Skenes, allows one run in six innings as Marlins top Pirates 4-2
Up Next · Pirates @ Athletics · Mon Jun 15, 9:40 PM
Latest developments: The Pirates expect Oneil Cruz to miss four to six weeks and have recalled Esmerlyn Valdez to fill the roster spot.
Cruz's absence pulls a power bat from the Pirates lineup. Valdez gets the call-up to cover the opening.
Sources: Post-Gazette Pirates
Latest developments: Paul Skenes, at the center of MLB's labor battle, said the players need to dig in ahead of a possible work stoppage.
The Post-Gazette laid out how the Pirates ace views the fight over payroll, a salary cap, and the next collective bargaining agreement. Skenes argues players should hold firm against the owners.
Sources: Post-Gazette Pirates
Latest developments: The Post-Gazette distilled 10 things it learned about Mike McCarthy and the Steelers during spring workouts, spanning Aaron Rodgers, Joey Porter Jr., DK Metcalf, and the backfield.
The team wrapped its 2026 offseason program this week. The lessons cover the new offense under McCarthy, the quarterback room, and roster competition heading toward training camp at Saint Vincent College.
Sources: Post-Gazette Steelers
S&P 500 7,377.03 ▼ -2.2% Dow 50,725.58 ▼ -0.7% Nasdaq 25,695.30 ▼ -3.8% WTI crude 88.42 ▼ -5.0% EUR/USD 1.1550 ▼ -0.4% GBP/USD 1.3363 ▼ -0.6% USD/JPY 160.31 ▲ +0.3%