daily plain-text briefing: security, markets, business, and pittsburgh
An Oracle PeopleSoft zero-day is bleeding gigabytes from hundreds of organizations as Washington forces Anthropic to pull its two newest AI models offline worldwide.
Last 24h: CISA added CVE-2026-35273 to its known-exploited catalog and ordered federal agencies to patch under Binding Operational Directive 26-04.
A missing-authentication flaw in Oracle PeopleSoft Enterprise PeopleTools lets attackers reach critical functions with no credentials. The ShinyHunters crew has exploited it to steal gigabytes from hundreds of organizations, hitting American universities hardest because so many run PeopleSoft for HR and finance. Apply Oracle's fix at once and hunt logs for bulk data exfiltration.
Sources: Ars Technica Security · Dark Reading · CISA Advisories
Last 24h: WatchTowr released a technical analysis and a detection-artefact generator for CVE-2026-50751, raising the odds of a broad opportunistic wave.
The authentication-bypass flaw in Check Point Remote Access VPN and Mobile Access lets attackers walk past login. Check Point patched it June 8, 2026, and confirmed limited active exploitation before the disclosure. Now that working detection tooling and analysis sit in public view, expect wider scanning and attacks. Patch immediately and review VPN authentication logs.
Sources: Help Net Security · Help Net Security
Last 24h: Splunk shipped fixes for CVE-2026-20253, a 9.8 flaw that lets unauthenticated users run code.
In Splunk Enterprise below versions 10.2.4 and 10.0.7, an unauthenticated user can create or truncate arbitrary files and escalate to remote code execution. Splunk often sits at the center of a security operations center, so a compromise hands attackers the monitoring system itself. Upgrade to a fixed release now.
Sources: The Hacker News
Last 24h: Anthropic disabled Fable 5 and Mythos 5 globally after a 5:21 p.m. federal order barred all foreign-national access.
The Trump administration invoked export controls and cited national security plus a jailbreak to bar every foreign national, inside or outside the United States, from the two models. Anthropic complied and suspended both worldwide, yet disputes the basis, calling the jailbreak narrow and the capability common elsewhere. The directive knocked Anthropic's most advanced systems offline for all users. Industry voices split over dual-use risk, safeguards, and tiered access.
Sources: BleepingComputer · The Hacker News · SecurityWeek
Last 24h: Google filed suit against Outsider Enterprise, accusing it of weaponizing Gemini to mass-produce phishing infrastructure.
The China-based network runs a phishing-as-a-service kit called Outsider and leaned on Google's Gemini agent to build phishing sites and scam infrastructure aimed at Americans. Google ties the group to more than 9,000 fake websites, a million fraudulent URLs, and hundreds of thousands of victims with losses in the millions of dollars. The lawsuit pairs civil claims with takedown pressure on the operation.
Sources: The Hacker News · Help Net Security
Last 24h: Sygnia detailed how the China-nexus group Velvet Ant backdoored PAM and OpenSSH to hide for nearly ten years.
Velvet Ant seized a target's authentication stack, planting implants in the PAM and OpenSSH components that decide who signs in, and held persistence for a decade with full view of administrative activity. The targeted network had no internet access, yet routine cleanup never reached binaries buried that deep. Defenders should verify the integrity of login binaries and authentication modules rather than trust them.
Sources: BleepingComputer · The Hacker News
Last 24h: Attackers rewrote build scripts across more than 400 Arch User Repository packages to drop a credential stealer.
The malware is a Rust binary that harvests developer secrets and access tokens, and with root it loads an eBPF rootkit to hide itself. Any machine that builds a poisoned package executes the code during the build. The AUR is Arch Linux's community collection, separate from official repositories and largely user-trusted. Rebuild from clean sources and rotate every credential the build host touched.
Sources: The Hacker News · BleepingComputer
Last 24h: South Korea fined Coupang a record $409 million while a US bankruptcy administrator approved a $47 million 23andMe settlement fund.
South Korea's privacy commission levied its largest-ever data-breach penalty, $409 million against Coupang, topping the $88.8 million SK Telecom fine from earlier this year. In the United States, an administrator approved a $47 million fund for 7 million 23andMe customers whose genetic data hackers stole starting April 2023 and posted to the dark web. Novo Nordisk, the world's largest insulin maker, separately disclosed a breach exposing clinical-trial patient data.
Sources: The Record · The Record · BleepingComputer
Today: Chance Showers And Thunderstorms, high 84F.
Tonight: Showers And Thunderstorms then Mostly Cloudy, low 56F.
Monday: Mostly Sunny, high 71F.
Pirates (36-35)
Sat Jun 13 · Marlins 2 · Pirates 3 · Final
Spencer Horwitz hit by pitch with the bases loaded to lift the Pirates past the Marlins, 3-2
Up Next · Marlins @ Pirates · Sun Jun 14, 12:15 PM
S&P 500 7,377.03 ▼ -2.2% Dow 50,725.58 ▼ -0.7% Nasdaq 25,695.30 ▼ -3.8% WTI crude 88.42 ▼ -5.0% EUR/USD 1.1550 ▼ -0.4% GBP/USD 1.3363 ▼ -0.6% USD/JPY 160.31 ▲ +0.3%