daily plain-text briefing: security, markets, business, and pittsburgh
China- and North Korea-linked crews burrowed into research, defense, and developer networks as attackers turned Fortinet's threat-verdict engine and Microsoft Teams relays into weapons.
Latest developments: Google disclosed a China-linked group that lived inside North American medical, academic, and military research networks for over a year, planting a credential-stealing backdoor on REDCap servers then rewiring victims' own Google Workspace mail rules to copy every message out, while ESET documented two Windows variants of the previously Linux-only SprySOCKS backdoor, marked WIN_DRV and WIN_PLUS, hitting government organizations in at least four countries.
A China-linked espionage group spent more than a year inside North American medical, academic, and military research networks. It first compromised REDCap research servers with a credential-stealing backdoor, then abused the victims' own Google Workspace mail-forwarding rules to siphon sensitive research and defense email past detection. ESET's parallel finding shows the actors' Windows toolset growing: SprySOCKS, long considered Linux-only, now ships WIN_DRV and WIN_PLUS variants with hard-coded command-and-control and driver-based stealth. Organizations running REDCap should audit Workspace forwarding rules and hunt for the new variants.
Sources: The Hacker News · Dark Reading · The Hacker News · BleepingComputer
Latest developments: Genians documented ScarCruft, also tracked as APT37, sending spear-phishing emails that impersonate Microsoft account security alerts to deliver NarwhalRAT, while Proofpoint tied two fresh campaigns using developer-recruitment and code-review lures to the Contagious Interview cluster known as Famous Chollima.
Two North Korean clusters ran fresh social-engineering campaigns. ScarCruft, also tracked as APT37, sent emails posing as Microsoft account security alerts to plant NarwhalRAT on targets. The Contagious Interview crew, known as Famous Chollima, leaned on developer-recruitment and code-review lures, turning trusted developer workflows into malware-delivery channels. Both rely on the target opening a convincing message, so verify unexpected security alerts and job outreach through separate channels.
Sources: The Hacker News · The Hacker News
Latest developments: Defused reported active exploitation over the past 24 hours of three FortiSandbox flaws—CVE-2026-39813, a 9.1-severity path-traversal bug in the JRPC API, plus CVE-2026-39808 and CVE-2026-25089—one of them patched only last week, with the exploit for one flaw apparently vibecoded and likely faulty.
FortiSandbox analyzes suspicious files and returns the verdicts other Fortinet products use to block threats and launch automated responses, so an attacker who subverts it blinds the surrounding stack. CVE-2026-39813 carries a 9.1 severity score; Fortinet patched it last week, yet exploitation continues. Defused noted that one public exploit appears vibecoded and likely faulty, which may limit reliability but not intent. Administrators should apply the latest FortiSandbox fixes immediately.
Sources: Help Net Security · The Hacker News · BleepingComputer
Latest developments: The Arch User Repository poisoning expanded to roughly 1,500 malicious packages, prompting Arch Linux to suspend new account registrations, while a content-distribution-network compromise at Awesome Motive tainted the OptinMonster, TrustPulse, and PushEngage WordPress plugins.
Two supply-chain compromises widened. The poisoning of the Arch User Repository grew to roughly 1,500 packages laced with malware, and Arch Linux suspended new account registrations to stem the flood. Separately, a compromise of Awesome Motive's content distribution network tainted the popular OptinMonster, TrustPulse, and PushEngage WordPress plugins. Site operators and Arch users should review recently installed packages and verify plugin integrity.
Sources: SecurityWeek · BleepingComputer
Latest developments: Symantec reported the DragonForce ransomware-as-a-service group used custom malware it calls Backdoor.Turn to tunnel command-and-control traffic through Microsoft Teams TURN relay infrastructure during an intrusion at a US services company, the first known abuse of Teams relays for this purpose.
DragonForce, a ransomware-as-a-service operation active since 2023, breached a US services company and routed its command-and-control traffic through Microsoft Teams TURN relay infrastructure using custom malware Symantec calls Backdoor.Turn. Hiding inside Teams relays lets the traffic blend with legitimate collaboration connections, the first known abuse of this channel. Defenders should scrutinize Teams relay connections and treat unexpected TURN traffic as suspect.
Sources: Help Net Security · BleepingComputer
Latest developments: iRhythm confirmed attackers stole patient personal and health data from third-party-hosted applications and demanded a ransom after the company learned of the intrusion on June 8, FulcrumSec claimed 1.3 terabytes taken from Novo Nordisk, hackers published Knicks and Madison Square Garden records including a talent risk list and customer emails, and the Council of Europe opened a probe into ShinyHunters' breach claims.
A run of breaches and extortion claims surfaced in a single day. iRhythm, which makes cardiac-monitoring devices, confirmed attackers stole patient personal and health data from third-party-hosted applications and demanded a ransom after it learned of the intrusion on June 8. FulcrumSec claimed 1.3 terabytes taken from Novo Nordisk, hackers dumped Knicks and Madison Square Garden records including a talent risk list and customer emails, and the Council of Europe opened a probe into ShinyHunters' claims. Affected individuals face phishing and identity-fraud exposure.
Sources: SecurityWeek · SecurityWeek · 404 Media · BleepingComputer
Latest developments: Researchers disclosed SearchLeak, a now-patched three-stage prompt-injection attack against Microsoft Copilot that planted hidden URLs and variables to exfiltrate user data, including two-factor authentication codes, with a single click.
Researchers disclosed SearchLeak, a three-stage prompt-injection attack against Microsoft Copilot that used hidden URLs and variables to exfiltrate user data, including two-factor authentication codes, with a single click. Microsoft has patched it. The flaw joins a growing class of injection attacks that smuggle instructions into the content an AI assistant reads, which researchers argue exposes a recurring weakness in how the industry secures large language models.
Sources: Ars Technica Security · Dark Reading
Latest developments: The UK said opening a social media account will require proving you are over 16 through an ID upload or a facial age scan under a ban on under-16s taking effect in spring 2027, and India temporarily blocked Telegram over fears scammers exploited the platform to leak medical-exam questions.
Two governments moved to restrict online access. The UK will require new social media users to prove they are over 16 through an ID upload or a facial age scan, part of a ban on under-16s taking effect in spring 2027; security experts warn the checks are easy to circumvent and create fresh troves of personal data to breach. India temporarily blocked Telegram amid fears scammers exploited the platform to leak medical-exam questions. Both measures trade anonymity and data exposure for claimed safety gains.
Sources: BleepingComputer · The Record · The Record
Latest developments: The Federal Reserve's first two-day policy meeting under new chair Kevin Warsh began Tuesday, with markets focused on his opening moves on interest rates.
Kevin Warsh chairs his first Federal Reserve policy meeting this week, and demand for Treasurys rose, pushing yields lower, as traders awaited both his rate stance and the still-unclear terms of the US-Iran deal. The decision sets the tone for how the new chair handles inflation running above 4%.
Sources: WSJ Markets
Latest developments: Published terms show the agreement lets Iran immediately resume oil sales and waives banking and transport sanctions, and the Trump administration is weighing a $300 billion fund to rebuild Iran.
The US-Iran memorandum extending the ceasefire carries early financial benefits for Tehran: immediate oil sales and waived banking and transport sanctions that ease transactions. Washington is considering a $300 billion reconstruction fund if the peace holds, while Iran says the deal also requires Israel to withdraw from Lebanon, a condition that keeps the still-unpublished accord uncertain.
Sources: WSJ World News · FT World
Today: Mostly Sunny, high 77F.
Tonight: Mostly Cloudy then Scattered Showers And Thunderstorms, low 59F.
Wednesday: Mostly Sunny, high 80F.
Latest developments: The Post-Gazette details how Pittsburgh's Housing Authority purchased its own headquarters only to vacate it.
Pittsburgh's Housing Authority bought the building it occupied and then had to leave it, the Post-Gazette reports, raising questions about the agency's real-estate decisions as it works to expand affordable housing across the city.
Sources: Pittsburgh Post-Gazette
Latest developments: Yum Brands formalized the sale Tuesday, splitting Pizza Hut between private-equity firm LongRange Capital, which pays $1.5 billion for operations outside mainland China, and Yum China, which takes the China business for $1.2 billion.
Pizza Hut, whose sales lagged as delivery-first rivals gained ground, changes hands in a $2.7 billion deal. LongRange Capital buys the chain outside mainland China for $1.5 billion and Yum China takes the China operations for $1.2 billion.
Sources: Pittsburgh Post-Gazette · KDKA
Latest developments: Crews will demolish the old Commercial Street Bridge, including a planned controlled explosion, before sliding the new span into place.
Before Pittsburgh's new Commercial Street Bridge can move into position, crews must take down the old one, a job that includes a controlled explosion, WTAE reports.
Sources: WTAE
Latest developments: Pittsburgh City Council could vote this month on settlements for 11 people hurt in the 2022 Fern Hollow Bridge collapse.
Pittsburgh City Council may vote this month on whether to pay settlements to 11 victims of the January 2022 Fern Hollow Bridge collapse in Frick Park, TribLive reports.
Sources: TribLive
Latest developments: The National Weather Service confirmed two tornadoes from Sunday's storms touched down in Butler County, including an EF1 near Moraine State Park, bringing the two-week regional total to nine.
Surveys confirmed two tornadoes struck Butler County during Sunday's line of severe storms, one an EF1 near Moraine State Park. Nine tornadoes have now hit Western Pennsylvania communities in two weeks.
Latest developments: Hazmat crews responded Tuesday to an acid leak at the Cleveland Cliffs plant in Butler County after the spill reached Connoquenessing Creek.
An acid leak at the Cleveland Cliffs plant in Butler County spilled into Connoquenessing Creek on Tuesday, drawing hazmat teams, WTAE and WPXI report.
Latest developments: The Pittsburgh Zoo is asking the public to suggest a name for its growing female lion cub.
The Pittsburgh Zoo invited the public to suggest names for its new female lion cub, WPXI reports.
Sources: WPXI
Latest developments: The Post-Gazette rounds up Pittsburgh-area Juneteenth festivals, films, and observances ahead of the June 19 holiday.
Pittsburgh marks Juneteenth, Friday, June 19, 2026, with festivals, film screenings, and other observances across the region, the Post-Gazette reports.
Sources: Post-Gazette Arts & Entertainment
Latest developments: The Post-Gazette profiles Little Queer Libraries, which distribute banned books across the Pittsburgh region through the Equality Center.
Little Queer Libraries place banned books in small lending boxes across the Pittsburgh region, run with help from the Equality Center, the Post-Gazette reports.
Sources: Post-Gazette Arts & Entertainment
Pirates (36-37)
Mon Jun 15 · Pirates 2 · Athletics 11 · Final
Nick Kurtz and Jeff McNeil power the A's to an 11-2 victory over the struggling Pirates
Up Next · Pirates @ Athletics · Tue Jun 16, 9:40 PM
Latest developments: The Post-Gazette's MiLB Monday weighs whether former top Pirates pick Termarr Johnson is finally turning his prospect career around.
The Post-Gazette examined whether Termarr Johnson, a former top Pirates draft pick, is rebounding in the minor leagues after a slow start to his professional career.
Sources: Post-Gazette Pirates
Latest developments: A Post-Gazette video assesses which Steelers rookies, including Germie Bernard and Max Iheanachor, looked ready to contribute after OTAs and minicamp.
The Post-Gazette weighed which Steelers rookies showed enough during OTAs and minicamp to contribute right away, singling out Germie Bernard and Max Iheanachor.
Sources: Post-Gazette Steelers
S&P 500 7,377.03 ▼ -2.2% Dow 50,725.58 ▼ -0.7% Nasdaq 25,695.30 ▼ -3.8% WTI crude 86.31 ▼ -7.1% EUR/USD 1.1556 ▼ -0.4% GBP/USD 1.3386 ▼ -0.3% USD/JPY 160.23 ▲ +0.2%