================================================================ INFOSECFOLLOW -- security, markets, business, pittsburgh Tuesday, June 16, 2026 - 9:05 AM EDT ================================================================ Varonis chained three bugs into a one-click Microsoft 365 Copilot exploit that siphoned emails, files, and MFA codes through a genuine microsoft.com link, as China-nexus spies surfaced after a year inside North American research networks. CONTENTS: Emerging Trends | Security | Business and Politics | Pittsburgh | Sports | Reading | Markets EMERGING TRENDS ---------------------------------------------------------------- * AI Exploitation: AI assistants and gateways serve as both weapon and target this week, with the Copilot SearchLeak chain, a Vertex AI cross-tenant code-execution flaw, and a LiteLLM takeover all turning trusted machine identities into exfiltration paths. * Supply Chain: Attackers keep poisoning the software pipeline, swelling the Arch User Repository compromise to 1,500 packages and hijacking the OptinMonster WordPress plugin through its content-delivery network. * Edge Exploitation: Network appliances stay the soft underbelly, with Fortinet FortiSandbox, Cisco Catalyst SD-WAN Manager, and a LiteSpeed cPanel plugin all under active exploitation. * Chinese Espionage: China-linked crews favor long, quiet dwell times, rewiring victims' own Google Workspace rules and porting the SprySOCKS backdoor to Windows to spy on government and research targets for months. * Crypto Fraud: Investment-scam crews now send couriers to victims' doorsteps to collect cash when banks block wire transfers, hardening pig-butchering schemes against financial controls. SECURITY ---------------------------------------------------------------- :: NATION-STATE ACTIVITY 1. CHINA-NEXUS SPIES LURK A YEAR IN RESEARCH NETWORKS [apt, espionage, breach] Latest developments: Google disclosed a China-linked campaign that hid for over a year inside North American medical, academic, and military research networks by backdooring exposed REDCap servers with InfiniteRed malware, stealing login credentials, then rewiring victims' own Google Workspace mail rules to copy sensitive defense and research email out; separately ESET flagged two Windows variants, marked WIN_DRV and WIN_PLUS, of the previously Linux-only SprySOCKS backdoor hitting government bodies in at least four countries. The REDCap intrusion stands out for its exfiltration trick: rather than smuggling data through new channels, the attackers turned the targets' legitimate Workspace forwarding rules into a quiet pipe for stolen mail. The SprySOCKS expansion adds driver-based stealth and hard-coded command-and-control over TCP and UDP, widening a tool once confined to Linux. Research institutions running internet-facing REDCap should rotate credentials, audit Workspace rules for unexpected forwarding, and hunt for the new Windows variants. - Dark Reading: https://www.darkreading.com/threat-intelligence/china-nexus-actor-us-researchers-undetected - The Hacker News: https://thehackernews.com/2026/06/chinese-hackers-abused-google-workspace.html - The Hacker News: https://thehackernews.com/2026/06/china-linked-sprysocks-backdoor-expands.html - BleepingComputer: https://www.bleepingcomputer.com/news/security/chinese-hackers-breach-redcap-servers-steal-medical-research/ 2. NORTH KOREAN CREWS BAIT DEVELOPERS AND ACCOUNT HOLDERS [apt, phishing, malware] Latest developments: Genians Security Center found ScarCruft, also tracked as APT37, sending spear-phishing that impersonates Microsoft account security alerts to drop a malware called NarwhalRAT, while Proofpoint detailed the Contagious Interview cluster running developer-recruitment and code-review phishing lures that turn coding tools into malware delivery channels. ScarCruft's fake Microsoft security warnings prey on users' instinct to react fast to account threats, steering them into installing NarwhalRAT. The Contagious Interview operation, also known as Famous Chollima, keeps targeting software engineers with job and code-review themes, exploiting the trust developers place in recruiting and review workflows. Staff should verify account alerts through official portals rather than email links, and developers should treat unsolicited coding challenges and review requests with suspicion. - The Hacker News: https://thehackernews.com/2026/06/fake-microsoft-alerts-used-to-deploy.html - The Hacker News: https://thehackernews.com/2026/06/north-korean-hackers-are-turning.html :: AI SECURITY 3. COPILOT SEARCHLEAK STEALS EMAIL AND MFA CODES [ai, zero-day, prompt-injection] Latest developments: Varonis Threat Labs detailed SearchLeak, a now-patched chain of three bugs in Microsoft 365 Copilot Enterprise Search that let one click on a real microsoft.com link pull a user's emails, calendar entries, indexed files, and even two-factor codes, slipping past anti-phishing and URL filters because the link pointed at a trusted domain. The exploit hid the malicious payload inside variables and concealed URLs that rode a legitimate Microsoft domain, defeating tools that judge links by reputation. Microsoft has fixed the flaw, but researchers place it in a growing family of prompt-injection attacks that weaponize the AI assistant's own trusted access. Enterprises leaning on Copilot for search should treat its broad data reach as a high-value target and watch for similar indirect injection paths. - The Hacker News: https://thehackernews.com/2026/06/one-click-microsoft-365-copilot-flaw.html - Dark Reading: https://www.darkreading.com/application-security/copilot-searchleak-attack-1-click-data-theft - Ars Technica Security: https://arstechnica.com/security/2026/06/critical-copilot-vulnerability-allowed-hackers-to-seal-2fa-code-from-users/ :: VULNERABILITIES AND EXPLOITS 4. FORTINET FORTISANDBOX FLAWS UNDER ACTIVE ATTACK [zero-day, patch, exploit] Latest developments: Threat intelligence firm Defused observed attackers exploiting three vulnerabilities in Fortinet FortiSandbox over the past 24 hours, including CVE-2026-39813, a path-traversal flaw in the JRPC API rated 9.1, alongside CVE-2026-39808 and CVE-2026-25089, one of them patched only last week. FortiSandbox sits at the heart of many networks as a threat-detection appliance, so a compromise hands attackers a trusted vantage point. The path-traversal bug lets an attacker reach files outside intended directories, and the cluster of three flaws under simultaneous exploitation suggests an active campaign against unpatched units. Administrators should apply Fortinet's fixes immediately and inspect FortiSandbox logs for exploitation traces. - The Hacker News: https://thehackernews.com/2026/06/attackers-exploit-three-fortinet.html - BleepingComputer: https://www.bleepingcomputer.com/news/security/critical-fortinet-fortisandbox-flaws-now-exploited-in-attacks/ 5. ATOMIC ARCH ATTACK SWELLS TO 1,500 PACKAGES [supply-chain, malware] Latest developments: The Arch Linux supply-chain compromise, first counted at roughly 400 packages, ballooned to 1,500 malicious uploads to the Arch User Repository, prompting Arch to suspend new account registrations, while attackers separately hijacked the OptinMonster, TrustPulse, and PushEngage WordPress plugins through a compromise of Awesome Motive's content-delivery network. The AUR flood, dubbed Atomic, rewrote build scripts to drop an infostealer and rootkit, and the surge to 1,500 packages forced Arch to close the registration door behind the attackers. The OptinMonster incident poisoned plugins at the CDN layer, meaning sites pulling updates received tainted code without any direct breach of their own servers. Developers and site owners using these ecosystems should audit recently installed packages and plugin assets and rotate any exposed credentials. - SecurityWeek: https://www.securityweek.com/atomic-arch-supply-chain-attack-hits-1500-aur-packages/ - BleepingComputer: https://www.bleepingcomputer.com/news/security/optinmonster-wordpress-plugin-hacked-in-cdn-supply-chain-attack/ :: RANSOMWARE AND CYBERCRIME 6. DRAGONFORCE HIDES IN TEAMS AS SUGAR MILLS HALT [ransomware, malware] Latest developments: BleepingComputer reported DragonForce ransomware operators deploying a custom backdoor named Backdoor.Turn that buries command-and-control traffic inside Microsoft Teams relay infrastructure, while a separate group calling itself The Gentlemen shut down the mills of Mackay Sugar, Australia's second-largest sugar producer. By tunneling control traffic through Teams relays, DragonForce blends its communications into normal corporate collaboration flows, frustrating network defenders who trust Microsoft endpoints. The Mackay Sugar attack halted physical milling operations, a reminder that ransomware crews readily knock industrial producers offline. Organizations should scrutinize anomalous Teams relay traffic and segment operational technology from corporate IT to limit production-stopping intrusions. - BleepingComputer: https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-microsoft-teams-relays-to-hide-malicious-traffic/ - SecurityWeek: https://www.securityweek.com/ransomware-attack-shuts-down-mills-of-australias-second-largest-sugar-producer/ :: DATA BREACHES 7. FRESH BREACH CLAIMS HIT NOVO NORDISK AND EUROPE [breach, extortion] Latest developments: The hack-and-leak group FulcrumSec claimed it stole 1.3 terabytes of data from drugmaker Novo Nordisk, the Council of Europe opened a probe into ShinyHunters' weekend breach claims, and digital healthcare firm iRhythm Holdings disclosed that attackers took patient personal and health data from third-party-hosted business applications. Novo Nordisk, already named in earlier breach reporting, now faces a specific extortion claim quantifying the haul at 1.3 terabytes. The Council of Europe, the continent's oldest intergovernmental body, is investigating ShinyHunters, the same crew tied to recent enterprise-software thefts. iRhythm's incident shows third-party application hosting remains a leak point for sensitive medical records. Affected individuals should watch for targeted phishing and fraud, and the organizations face mounting disclosure and regulatory pressure. - SecurityWeek: https://www.securityweek.com/cybercrime-group-claims-novo-nordisk-hack/ - BleepingComputer: https://www.bleepingcomputer.com/news/security/council-of-europe-investigates-shinyhunters-data-breach-claims/ - BleepingComputer: https://www.bleepingcomputer.com/news/security/irhythm-discloses-data-breach-says-hackers-stole-patient-info/ :: POLICY AND REGULATION 8. GOVERNMENTS MOVE ON KIDS, RUSSIAN MAIL, AND NSS [policy, regulation] Latest developments: The United Kingdom announced a ban on social media access for children under 16 across all user-to-user platforms that enable social interaction and run algorithmic feeds, Estonia ordered extra screening to quarantine emails from Russia's .ru top-level domain before they reach government officials, and the White House issued NSPM-12 to bolster national security systems cybersecurity governance and reestablish the Committee on National Security Systems. Britain's age cutoff reaches every algorithm-driven social platform, an aggressive step that will force identity and age checks. Estonia's .ru quarantine treats an entire national domain as a threat vector against its officials, reflecting wartime caution toward Russian infrastructure. NSPM-12 sets a clearer accountability structure for protecting U.S. classified and military systems. Platforms, agencies, and contractors across all three jurisdictions must now adjust compliance and screening practices. - The Record: https://therecord.media/uk-to-ban-social-media-access-for-children-under-16 - The Record: https://therecord.media/estonia-quarantine-russian-emails - SecurityWeek: https://www.securityweek.com/white-house-issues-memo-to-bolster-nss-cybersecurity/ BUSINESS AND POLITICS ---------------------------------------------------------------- * Bank of Japan Raises Rate to 1% Latest developments: The Bank of Japan lifted its policy rate to 1% Tuesday, the first time it has reached that level since 1995, and said it will stop reducing its monthly bond purchases starting next year. Japan's central bank moved against inflation risks, noting that the pass-through of high oil prices is running fast through the economy; the rate sits at a 31-year high. The decision marks a decisive step away from the ultra-loose policy Japan held for decades and ripples through global bond and currency markets. - FT World: https://www.ft.com/content/1e887867-8533-423b-977c-c019759f7787 - FT World: https://www.ft.com/content/8360c4bb-ca5b-47c0-90e5-c2ed77552cba * SpaceX Buys Cursor, Nears Amazon's Value Latest developments: SpaceX agreed to buy the autonomous coding agent Cursor for $60 billion, and its market value climbed toward Amazon's as the post-IPO rally extended. Days after the largest initial public offering on record, Elon Musk's rocket company spent $60 billion on an AI coding firm, signaling a pivot beyond launches into software and pushing its valuation among the world's largest. The scale of the deal and the run-up draw scrutiny over concentration in megacap technology shares. - WSJ US Business: https://www.wsj.com/business/spacex-agrees-to-buy-ai-coding-agent-cursor-for-60-billion-7a473340?mod=pls_whats_news_us_business_f - FT World: https://www.ft.com/content/17153f13-b0c8-4331-8f97-32a19a5e966e PITTSBURGH ---------------------------------------------------------------- Weather: Today: Mostly Sunny, high 77F. Tonight: Mostly Cloudy then Scattered Showers And Thunderstorms, low 59F. Wednesday: Mostly Sunny, high 80F. Business: * Housing Authority Leaves a Building It Bought Latest developments: The Post-Gazette reports Pittsburgh's Housing Authority purchased a building and then had to leave it, a setback in the agency's affordable-housing work. The Housing Authority of the City of Pittsburgh acquired a property as part of its affordable-housing effort, only to vacate it, raising questions about how the agency manages its real estate as demand for low-cost housing stays high. - Pittsburgh Post-Gazette: https://www.post-gazette.com/business/development/2026/06/16/housing-authority-pittsburgh-affordable-housing/stories/202606140032 * Fat Head's South Side Building Closes Latest developments: Pittsburgh City Paper traced the colorful history of the South Side building that housed Fat Head's after the popular brewpub closed. Fat Head's, a brewpub on Pittsburgh's South Side, has shut down, ending one chapter in a building whose past stretches back through several owners. The closure removes a longtime craft-beer destination from East Carson Street. - Pittsburgh City Paper: https://www.pghcitypaper.com/news-2/history/the-fat-heads-building-on-pittsburghs-south-side-has-a-colorful-history/ * Sarris Candies Opens Factory Tours Latest developments: The Post-Gazette details a new chocolate factory tour at Sarris Candies in Canonsburg, opening the production floor to visitors. Sarris Candies, the family chocolate maker in Canonsburg, now offers guided tours of its factory, adding a tourist draw in Washington County and a window into how the regional confectioner produces its sweets. - Pittsburgh Post-Gazette: https://www.post-gazette.com/life/food/2026/06/16/sarris-candies-canonsburg-factory-tours/stories/202606210004 Around town: * Council Weighs Fern Hollow Settlements Latest developments: Pittsburgh City Council could vote this month on settlements for 11 people hurt in the 2022 Fern Hollow Bridge collapse. Four years after the Forbes Avenue bridge over Fern Hollow gave way, the city is moving to compensate 11 victims. A council vote would close out part of the legal fallout from one of Pittsburgh's most prominent infrastructure failures. - TribLive: https://triblive.com/local/pittsburgh-city-council-to-vote-on-settlements-for-fern-hollow-bridge-victims/ * Commercial Street Bridge Demolition Latest developments: WTAE reports crews will demolish the old Commercial Street Bridge, including a planned controlled explosion, before the new span slides into place. Pittsburgh is replacing the Commercial Street Bridge, and the old structure must come down first, partly by controlled blast. The work clears the way for the new bridge in the city's east end. - WTAE: https://www.wtae.com/article/pittsburgh-commercial-street-bridge-demolition/71600255 * Acid Spill at Cleveland Cliffs in Butler County Latest developments: WPXI reports hazmat crews responded to the Cleveland Cliffs plant in Butler County for an acid spill into Connoquenessing Creek. An acid spill reached Connoquenessing Creek from the Cleveland Cliffs facility in Butler County, drawing hazardous-materials teams. Crews are assessing the discharge into the waterway. - WPXI: https://www.wpxi.com/news/local/hazmat-called-cleveland-cliffs-butler-county-acid-spill-connoquenessing-creek/QS22FGF4CBASHDBL5ZROFJWHHM/ * Landslide Closes GAP Trail in July Latest developments: The Post-Gazette reports landslide repairs will close the Great Allegheny Passage in West Mifflin in July, with an $8 million long-term fix planned. A slipping hillside will shut a stretch of the Great Allegheny Passage through West Mifflin next month, interrupting the popular Pittsburgh-to-Washington trail. A permanent $8 million stabilization is in the works. - Pittsburgh Post-Gazette: https://www.post-gazette.com/life/outdoors/2026/06/16/great-allegheny-passage-trail-west-mifflin-closure/stories/202606120075 * Storms and an Alert Day Thursday Latest developments: Forecasters call for highs in the 70s Tuesday with evening showers, rain returning late Wednesday, and an Alert Day Thursday for rain and storms. After a comfortable start to the week, Western Pennsylvania faces a wetter pattern, with Thursday flagged as the most active day for rain and thunderstorms. Drivers and outdoor planners should expect disruption midweek. - WTAE: https://www.wtae.com/article/rain-returns-late-wednesday-impact-day-thursday/71598337 - WPXI: https://www.wpxi.com/weather/highs-70s-tuesday-showers-move-this-evening/QSKTWIXXJBA3FMULE54IPUEBDQ/ Events: * Juneteenth Across Pittsburgh Latest developments: The Post-Gazette rounds up Juneteenth observances around Pittsburgh, including festivals and films, ahead of the June 19 holiday. Pittsburgh marks Juneteenth, the June 19 commemoration of emancipation, with festivals, film screenings, and other gatherings across the region. The Post-Gazette's guide lists where to go; consult it for specific times, venues, and admission. - Post-Gazette Arts & Entertainment: https://www.post-gazette.com/life/recreation/2026/06/16/juneteenth-events-pittsburgh-2026/stories/202606170002 * Father's Day Brunches and Dinners Latest developments: Pittsburgh City Paper lists restaurant specials for Father's Day on Sunday, June 21, including a brunch with lobster options at Ritual House downtown. Pittsburgh restaurants are running Father's Day brunch and dinner deals on Sunday, June 21. Ritual House at 524 William Penn Place downtown offers brunch fare such as lobster; the City Paper roundup also previews Picklesburgh news. Check each venue for hours and reservations. - Pittsburgh City Paper: https://www.pghcitypaper.com/food-drink/fathers-day-feasts-picklesburgh-deets-and-more-pittsburgh-food-news/ SPORTS ---------------------------------------------------------------- Pirates (36-37) Mon Jun 15 · Pirates 2 · Athletics 11 · Final Nick Kurtz and Jeff McNeil power the A's to an 11-2 victory over the struggling Pirates https://plaintextsports.com/mlb/2026-06-15/pit-ath Up Next · Pirates @ Athletics · Tue Jun 16, 9:40 PM https://plaintextsports.com/mlb/2026-06-16/pit-ath Around the Teams: * Which Steelers Rookies Could Contribute Latest developments: A Post-Gazette video assesses which Steelers rookies looked ready to contribute quickly after OTAs and minicamp, naming receiver Germie Bernard and lineman Max Iheanachor. With the offseason program done, the Post-Gazette weighs which first-year Steelers stood out in spring practice and could earn early roles, spotlighting Bernard and Iheanachor among the candidates. - Post-Gazette Steelers: https://www.post-gazette.com/sports/steelers/2026/06/15/nfl-news-rumors-germie-bernard-max-iheanachor/stories/202606150028 * SNR Drive Ranks Divisions by Quarterback Latest developments: On the Steelers' SNR Drive, Matt Williamson and Wes Uhler ranked each NFL division by quarterback talent. The team's SNR Drive show weighed where the AFC North and the rest of the league stand at quarterback, a measure that bears on Pittsburgh's path in a division it must navigate. The hosts debated the tiers across all eight divisions. - Pittsburgh Steelers (YouTube): https://www.youtube.com/watch?v=yFuV9I1SkMw READING ---------------------------------------------------------------- * Ed Zitron -- Exclusive: OpenAI Losses Increased Nearly 8X in 2025, With Spending Hitting $34 Billion Zitron reports financials showing OpenAI's losses ballooned almost eightfold in 2025 as spending reached $34 billion, arguing the company has no clear path to profitability. https://www.wheresyoured.at/exclusive-openai-financials/ * Ed Zitron -- AI's Brokenomics Zitron contends the economics of the AI industry do not add up, with cash-burning firms propped up by hype rather than sustainable revenue. https://www.wheresyoured.at/brokenomics/ * Stratechery -- Fox Buys Roku, The Problem With Fox's Smart Strategy, Streaming That Works Thompson argues Fox's purchase of Roku trades extraction from rights holders for leverage as a distributor, a logic the market dislikes but that may make strategic sense. https://stratechery.com/2026/fox-buys-roku-the-problem-with-foxs-smart-strategy-streaming-that-works/ * Stratechery -- Anthropic's Safety Superpower Thompson argues Anthropic's conviction in its own safety commitment gives it license to push its business aggressively and even challenge the U.S. government. https://stratechery.com/2026/anthropics-safety-superpower/ * Cal Newport -- AI Isn't Breaking Work. It's Already Broken. Newport, responding to a survey of digital workers, argues that knowledge work was already dysfunctional before AI and that the technology mostly exposes existing problems. https://calnewport.com/ai-isnt-breaking-work-its-already-broken/ MARKETS (weekly average, change vs prior week) ---------------------------------------------------------------- S&P 500 7,377.03 ▼ -2.2% Dow 50,725.58 ▼ -0.7% Nasdaq 25,695.30 ▼ -3.8% WTI crude 86.31 ▼ -7.1% EUR/USD 1.1556 ▼ -0.4% GBP/USD 1.3386 ▼ -0.3% USD/JPY 160.23 ▲ +0.2% ================================================================ Generated 2026-06-16 09:05 EDT. Sources: 22 security feeds; 9 Pittsburgh feeds; 4 Pittsburgh arts and events feeds; 6 Pittsburgh sports beat and podcast feeds; the Wall Street Journal, the Economist, and the Financial Times; and Ed Zitron, Stratechery, Cal Newport. Markets from Yahoo Finance, weather from the NWS, scores from ESPN. Summaries are AI-generated from the linked reporting; verify at the sources. ================================================================