================================================================ INFOSECFOLLOW -- security, markets, business, pittsburgh Tuesday, June 16, 2026 - 12:02 PM EDT ================================================================ China- and North Korea-linked crews burrowed into research, defense, and developer networks as attackers turned Fortinet's threat-verdict engine and Microsoft Teams relays into weapons. CONTENTS: Emerging Trends | Security | Business and Politics | Pittsburgh | Sports | Reading | Markets EMERGING TRENDS ---------------------------------------------------------------- * Trusted-Channel Abuse: Attackers increasingly hide malice inside services defenders trust, routing command traffic through Microsoft Teams relays and rewiring victims' own Google Workspace mail rules to exfiltrate data past detection. * State-Sponsored Surge: China- and North Korea-linked actors dominated the day with espionage and social-engineering campaigns spanning research servers, government networks, and developer workflows. * Prompt Injection: The Copilot SearchLeak attack shows hidden instructions smuggled into content an AI assistant reads can steal secrets in one click, a recurring weakness across large-language-model security. * Supply-Chain Compromise: Poisoned Arch User Repository packages and a tainted WordPress CDN show attackers keep targeting the distribution channels developers and site operators trust by default. SECURITY ---------------------------------------------------------------- :: NATION-STATE ACTIVITY 1. CHINA BURROWS INTO RESEARCH NETWORKS VIA GOOGLE WORKSPACE AND SPRYSOCKS [apt, espionage, backdoor] Latest developments: Google disclosed a China-linked group that lived inside North American medical, academic, and military research networks for over a year, planting a credential-stealing backdoor on REDCap servers then rewiring victims' own Google Workspace mail rules to copy every message out, while ESET documented two Windows variants of the previously Linux-only SprySOCKS backdoor, marked WIN_DRV and WIN_PLUS, hitting government organizations in at least four countries. A China-linked espionage group spent more than a year inside North American medical, academic, and military research networks. It first compromised REDCap research servers with a credential-stealing backdoor, then abused the victims' own Google Workspace mail-forwarding rules to siphon sensitive research and defense email past detection. ESET's parallel finding shows the actors' Windows toolset growing: SprySOCKS, long considered Linux-only, now ships WIN_DRV and WIN_PLUS variants with hard-coded command-and-control and driver-based stealth. Organizations running REDCap should audit Workspace forwarding rules and hunt for the new variants. - The Hacker News: https://thehackernews.com/2026/06/chinese-hackers-abused-google-workspace.html - Dark Reading: https://www.darkreading.com/threat-intelligence/china-nexus-actor-us-researchers-undetected - The Hacker News: https://thehackernews.com/2026/06/china-linked-sprysocks-backdoor-expands.html - BleepingComputer: https://www.bleepingcomputer.com/news/security/windows-version-of-sprysocks-linux-malware-used-to-attack-govt-orgs/ 2. NORTH KOREAN CREWS PHISH DEVELOPERS AND ACCOUNT HOLDERS [apt, phishing, malware] Latest developments: Genians documented ScarCruft, also tracked as APT37, sending spear-phishing emails that impersonate Microsoft account security alerts to deliver NarwhalRAT, while Proofpoint tied two fresh campaigns using developer-recruitment and code-review lures to the Contagious Interview cluster known as Famous Chollima. Two North Korean clusters ran fresh social-engineering campaigns. ScarCruft, also tracked as APT37, sent emails posing as Microsoft account security alerts to plant NarwhalRAT on targets. The Contagious Interview crew, known as Famous Chollima, leaned on developer-recruitment and code-review lures, turning trusted developer workflows into malware-delivery channels. Both rely on the target opening a convincing message, so verify unexpected security alerts and job outreach through separate channels. - The Hacker News: https://thehackernews.com/2026/06/fake-microsoft-alerts-used-to-deploy.html - The Hacker News: https://thehackernews.com/2026/06/north-korean-hackers-are-turning.html :: VULNERABILITIES AND EXPLOITS 3. ATTACKERS EXPLOIT FORTINET'S FORTISANDBOX VERDICT ENGINE [zero-day, exploit, patch] Latest developments: Defused reported active exploitation over the past 24 hours of three FortiSandbox flaws—CVE-2026-39813, a 9.1-severity path-traversal bug in the JRPC API, plus CVE-2026-39808 and CVE-2026-25089—one of them patched only last week, with the exploit for one flaw apparently vibecoded and likely faulty. FortiSandbox analyzes suspicious files and returns the verdicts other Fortinet products use to block threats and launch automated responses, so an attacker who subverts it blinds the surrounding stack. CVE-2026-39813 carries a 9.1 severity score; Fortinet patched it last week, yet exploitation continues. Defused noted that one public exploit appears vibecoded and likely faulty, which may limit reliability but not intent. Administrators should apply the latest FortiSandbox fixes immediately. - Help Net Security: https://www.helpnetsecurity.com/2026/06/16/fortisandbox-vulnerabilities-cve-2026-39813-cve-2026-39808-cve-2026-25089/ - The Hacker News: https://thehackernews.com/2026/06/attackers-exploit-three-fortinet.html - BleepingComputer: https://www.bleepingcomputer.com/news/security/critical-fortinet-fortisandbox-flaws-now-exploited-in-attacks/ 4. SUPPLY-CHAIN ATTACKS SPREAD ACROSS AUR AND WORDPRESS [supply-chain, malware] Latest developments: The Arch User Repository poisoning expanded to roughly 1,500 malicious packages, prompting Arch Linux to suspend new account registrations, while a content-distribution-network compromise at Awesome Motive tainted the OptinMonster, TrustPulse, and PushEngage WordPress plugins. Two supply-chain compromises widened. The poisoning of the Arch User Repository grew to roughly 1,500 packages laced with malware, and Arch Linux suspended new account registrations to stem the flood. Separately, a compromise of Awesome Motive's content distribution network tainted the popular OptinMonster, TrustPulse, and PushEngage WordPress plugins. Site operators and Arch users should review recently installed packages and verify plugin integrity. - SecurityWeek: https://www.securityweek.com/atomic-arch-supply-chain-attack-hits-1500-aur-packages/ - BleepingComputer: https://www.bleepingcomputer.com/news/security/optinmonster-wordpress-plugin-hacked-in-cdn-supply-chain-attack/ :: RANSOMWARE AND CYBERCRIME 5. DRAGONFORCE HIDES COMMAND TRAFFIC IN MICROSOFT TEAMS RELAYS [ransomware, malware] Latest developments: Symantec reported the DragonForce ransomware-as-a-service group used custom malware it calls Backdoor.Turn to tunnel command-and-control traffic through Microsoft Teams TURN relay infrastructure during an intrusion at a US services company, the first known abuse of Teams relays for this purpose. DragonForce, a ransomware-as-a-service operation active since 2023, breached a US services company and routed its command-and-control traffic through Microsoft Teams TURN relay infrastructure using custom malware Symantec calls Backdoor.Turn. Hiding inside Teams relays lets the traffic blend with legitimate collaboration connections, the first known abuse of this channel. Defenders should scrutinize Teams relay connections and treat unexpected TURN traffic as suspect. - Help Net Security: https://www.helpnetsecurity.com/2026/06/16/dragonforce-microsoft-teams-malware-backdoor-turn/ - BleepingComputer: https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-microsoft-teams-relays-to-hide-malicious-traffic/ :: DATA BREACHES 6. EXTORTION CREWS PILE UP HEALTH AND ENTERTAINMENT BREACHES [breach, extortion, healthcare] Latest developments: iRhythm confirmed attackers stole patient personal and health data from third-party-hosted applications and demanded a ransom after the company learned of the intrusion on June 8, FulcrumSec claimed 1.3 terabytes taken from Novo Nordisk, hackers published Knicks and Madison Square Garden records including a talent risk list and customer emails, and the Council of Europe opened a probe into ShinyHunters' breach claims. A run of breaches and extortion claims surfaced in a single day. iRhythm, which makes cardiac-monitoring devices, confirmed attackers stole patient personal and health data from third-party-hosted applications and demanded a ransom after it learned of the intrusion on June 8. FulcrumSec claimed 1.3 terabytes taken from Novo Nordisk, hackers dumped Knicks and Madison Square Garden records including a talent risk list and customer emails, and the Council of Europe opened a probe into ShinyHunters' claims. Affected individuals face phishing and identity-fraud exposure. - SecurityWeek: https://www.securityweek.com/irhythm-confirms-data-stolen-in-hack/ - SecurityWeek: https://www.securityweek.com/cybercrime-group-claims-novo-nordisk-hack/ - 404 Media: https://www.404media.co/hackers-publish-knicks-and-madison-square-garden-data-online/ - BleepingComputer: https://www.bleepingcomputer.com/news/security/council-of-europe-investigates-shinyhunters-data-breach-claims/ :: AI SECURITY 7. COPILOT SEARCHLEAK STEALS 2FA CODES IN ONE CLICK [ai, prompt-injection, vulnerability] Latest developments: Researchers disclosed SearchLeak, a now-patched three-stage prompt-injection attack against Microsoft Copilot that planted hidden URLs and variables to exfiltrate user data, including two-factor authentication codes, with a single click. Researchers disclosed SearchLeak, a three-stage prompt-injection attack against Microsoft Copilot that used hidden URLs and variables to exfiltrate user data, including two-factor authentication codes, with a single click. Microsoft has patched it. The flaw joins a growing class of injection attacks that smuggle instructions into the content an AI assistant reads, which researchers argue exposes a recurring weakness in how the industry secures large language models. - Ars Technica Security: https://arstechnica.com/security/2026/06/critical-copilot-vulnerability-allowed-hackers-to-seal-2fa-code-from-users/ - Dark Reading: https://www.darkreading.com/application-security/copilot-searchleak-attack-1-click-data-theft :: POLICY AND REGULATION 8. GOVERNMENTS MOVE TO GATE ONLINE ACCESS BY AGE AND ID [policy, privacy] Latest developments: The UK said opening a social media account will require proving you are over 16 through an ID upload or a facial age scan under a ban on under-16s taking effect in spring 2027, and India temporarily blocked Telegram over fears scammers exploited the platform to leak medical-exam questions. Two governments moved to restrict online access. The UK will require new social media users to prove they are over 16 through an ID upload or a facial age scan, part of a ban on under-16s taking effect in spring 2027; security experts warn the checks are easy to circumvent and create fresh troves of personal data to breach. India temporarily blocked Telegram amid fears scammers exploited the platform to leak medical-exam questions. Both measures trade anonymity and data exposure for claimed safety gains. - BleepingComputer: https://www.bleepingcomputer.com/news/security/uk-to-require-id-or-face-scan-before-you-can-make-social-media-accounts/ - The Record: https://therecord.media/uk-to-ban-social-media-access-for-children-under-16 - The Record: https://therecord.media/india-blocks-telegram-over-cheating-fears BUSINESS AND POLITICS ---------------------------------------------------------------- * Fed Meeting Opens Under Chair Warsh Latest developments: The Federal Reserve's first two-day policy meeting under new chair Kevin Warsh began Tuesday, with markets focused on his opening moves on interest rates. Kevin Warsh chairs his first Federal Reserve policy meeting this week, and demand for Treasurys rose, pushing yields lower, as traders awaited both his rate stance and the still-unclear terms of the US-Iran deal. The decision sets the tone for how the new chair handles inflation running above 4%. - WSJ Markets: https://www.wsj.com/finance/jgb-futures-edge-lower-ahead-of-bojs-rate-decision-6b5d01ff?mod=rss_markets_main * Iran Deal Frees Tehran to Sell Oil, Waives Bank Sanctions Latest developments: Published terms show the agreement lets Iran immediately resume oil sales and waives banking and transport sanctions, and the Trump administration is weighing a $300 billion fund to rebuild Iran. The US-Iran memorandum extending the ceasefire carries early financial benefits for Tehran: immediate oil sales and waived banking and transport sanctions that ease transactions. Washington is considering a $300 billion reconstruction fund if the peace holds, while Iran says the deal also requires Israel to withdraw from Lebanon, a condition that keeps the still-unpublished accord uncertain. - WSJ World News: https://www.wsj.com/world/middle-east/the-trump-iran-deal-allows-tehran-to-immediately-sell-oil-37a1ebe5 - FT World: https://www.ft.com/content/b6cbba15-9b4e-44ef-84e4-e5a5f031df36 PITTSBURGH ---------------------------------------------------------------- Weather: Today: Mostly Sunny, high 77F. Tonight: Mostly Cloudy then Scattered Showers And Thunderstorms, low 59F. Wednesday: Mostly Sunny, high 80F. Business: * Housing Authority Bought Its Building, Then Left Latest developments: The Post-Gazette details how Pittsburgh's Housing Authority purchased its own headquarters only to vacate it. Pittsburgh's Housing Authority bought the building it occupied and then had to leave it, the Post-Gazette reports, raising questions about the agency's real-estate decisions as it works to expand affordable housing across the city. - Pittsburgh Post-Gazette: https://www.post-gazette.com/business/development/2026/06/16/housing-authority-pittsburgh-affordable-housing/stories/202606140032 * Yum Brands Sells Pizza Hut for $2.7 Billion Latest developments: Yum Brands formalized the sale Tuesday, splitting Pizza Hut between private-equity firm LongRange Capital, which pays $1.5 billion for operations outside mainland China, and Yum China, which takes the China business for $1.2 billion. Pizza Hut, whose sales lagged as delivery-first rivals gained ground, changes hands in a $2.7 billion deal. LongRange Capital buys the chain outside mainland China for $1.5 billion and Yum China takes the China operations for $1.2 billion. - Pittsburgh Post-Gazette: https://www.post-gazette.com/business/career-workplace/2026/06/16/pizza-hut-sold-for-2-7-billion/stories/202606170010 - KDKA: https://www.cbsnews.com/pittsburgh/news/pizza-hut-sale-yum-brands/ Around town: * Commercial Street Bridge Demolition Nears Latest developments: Crews will demolish the old Commercial Street Bridge, including a planned controlled explosion, before sliding the new span into place. Before Pittsburgh's new Commercial Street Bridge can move into position, crews must take down the old one, a job that includes a controlled explosion, WTAE reports. - WTAE: https://www.wtae.com/article/pittsburgh-commercial-street-bridge-demolition/71600255 * Council Weighs Fern Hollow Bridge Settlements Latest developments: Pittsburgh City Council could vote this month on settlements for 11 people hurt in the 2022 Fern Hollow Bridge collapse. Pittsburgh City Council may vote this month on whether to pay settlements to 11 victims of the January 2022 Fern Hollow Bridge collapse in Frick Park, TribLive reports. - TribLive: https://triblive.com/local/pittsburgh-city-council-to-vote-on-settlements-for-fern-hollow-bridge-victims/ * Two More Tornadoes Confirmed in Butler County Latest developments: The National Weather Service confirmed two tornadoes from Sunday's storms touched down in Butler County, including an EF1 near Moraine State Park, bringing the two-week regional total to nine. Surveys confirmed two tornadoes struck Butler County during Sunday's line of severe storms, one an EF1 near Moraine State Park. Nine tornadoes have now hit Western Pennsylvania communities in two weeks. - WTAE: https://www.wtae.com/article/butler-county-tornadoes-confirmed-moraine-state-park/71603043 - WPXI: https://www.wpxi.com/news/local/2-tornadoes-moved-through-butler-county-during-sunday-storms/J5AN64JR4BDUXFWP443KLNEOKA/ * Acid Spill at Cleveland Cliffs Reaches Creek Latest developments: Hazmat crews responded Tuesday to an acid leak at the Cleveland Cliffs plant in Butler County after the spill reached Connoquenessing Creek. An acid leak at the Cleveland Cliffs plant in Butler County spilled into Connoquenessing Creek on Tuesday, drawing hazmat teams, WTAE and WPXI report. - WTAE: https://www.wtae.com/article/butler-county-cleveland-cliffs-acid-leak/71601375 - WPXI: https://www.wpxi.com/news/local/hazmat-called-cleveland-cliffs-butler-county-acid-spill-connoquenessing-creek/QS22FGF4CBASHDBL5ZROFJWHHM/ * Pittsburgh Zoo Seeks Name for Lion Cub Latest developments: The Pittsburgh Zoo is asking the public to suggest a name for its growing female lion cub. The Pittsburgh Zoo invited the public to suggest names for its new female lion cub, WPXI reports. - WPXI: https://www.wpxi.com/news/local/you-can-help-choose-name-pittsburgh-zoos-new-baby-lion/N525JNHIVFE5JNVZF5P5GDAX7M/ Events: * Juneteenth Events Across Pittsburgh Latest developments: The Post-Gazette rounds up Pittsburgh-area Juneteenth festivals, films, and observances ahead of the June 19 holiday. Pittsburgh marks Juneteenth, Friday, June 19, 2026, with festivals, film screenings, and other observances across the region, the Post-Gazette reports. - Post-Gazette Arts & Entertainment: https://www.post-gazette.com/life/recreation/2026/06/16/juneteenth-events-pittsburgh-2026/stories/202606170002 * Little Queer Libraries Share Banned Books Latest developments: The Post-Gazette profiles Little Queer Libraries, which distribute banned books across the Pittsburgh region through the Equality Center. Little Queer Libraries place banned books in small lending boxes across the Pittsburgh region, run with help from the Equality Center, the Post-Gazette reports. - Post-Gazette Arts & Entertainment: https://www.post-gazette.com/life/goodness/2026/06/16/little-queer-libraries-banned-books-equality-center/stories/202606080063 SPORTS ---------------------------------------------------------------- Pirates (36-37) Mon Jun 15 · Pirates 2 · Athletics 11 · Final Nick Kurtz and Jeff McNeil power the A's to an 11-2 victory over the struggling Pirates https://plaintextsports.com/mlb/2026-06-15/pit-ath Up Next · Pirates @ Athletics · Tue Jun 16, 9:40 PM https://plaintextsports.com/mlb/2026-06-16/pit-ath Around the Teams: * Termarr Johnson Shows Signs of Turning Around Latest developments: The Post-Gazette's MiLB Monday weighs whether former top Pirates pick Termarr Johnson is finally turning his prospect career around. The Post-Gazette examined whether Termarr Johnson, a former top Pirates draft pick, is rebounding in the minor leagues after a slow start to his professional career. - Post-Gazette Pirates: https://www.post-gazette.com/sports/pirates/2026/06/15/mlb-prospects-termarr-johnson-edward-florentino-tony-blanco/stories/202606150020 * Which Steelers Rookies Could Contribute Early Latest developments: A Post-Gazette video assesses which Steelers rookies, including Germie Bernard and Max Iheanachor, looked ready to contribute after OTAs and minicamp. The Post-Gazette weighed which Steelers rookies showed enough during OTAs and minicamp to contribute right away, singling out Germie Bernard and Max Iheanachor. - Post-Gazette Steelers: https://www.post-gazette.com/sports/steelers/2026/06/15/nfl-news-rumors-germie-bernard-max-iheanachor/stories/202606150028 READING ---------------------------------------------------------------- * Stratechery -- Fox Buys Roku, The Problem With Fox's Smart Strategy, Streaming That Works Stratechery argues Fox's purchase of Roku trades extracting value from rights holders for leverage as a distribution renter, a deal the market dislikes. https://stratechery.com/2026/fox-buys-roku-the-problem-with-foxs-smart-strategy-streaming-that-works/ * Ed Zitron -- Exclusive: OpenAI Losses Increased Nearly 8X in 2025, With Spending Hitting $34 Billion Zitron reports OpenAI's losses grew nearly eightfold in 2025 as spending reached $34 billion, and he argues the company has no path to profitability. https://www.wheresyoured.at/exclusive-openai-financials/ * Cal Newport -- AI Isn't Breaking Work. It's Already Broken. Newport contends AI is exposing dysfunction that already plagued knowledge work, drawing on an interview about a survey of 6,000 digital workers. https://calnewport.com/ai-isnt-breaking-work-its-already-broken/ MARKETS (weekly average, change vs prior week) ---------------------------------------------------------------- S&P 500 7,377.03 ▼ -2.2% Dow 50,725.58 ▼ -0.7% Nasdaq 25,695.30 ▼ -3.8% WTI crude 86.31 ▼ -7.1% EUR/USD 1.1556 ▼ -0.4% GBP/USD 1.3386 ▼ -0.3% USD/JPY 160.23 ▲ +0.2% ================================================================ Generated 2026-06-16 12:02 EDT. Sources: 24 security feeds; 9 Pittsburgh feeds; 4 Pittsburgh arts and events feeds; 6 Pittsburgh sports beat and podcast feeds; the Wall Street Journal, the Economist, and the Financial Times; and Ed Zitron, Stratechery, Cal Newport. Markets from Yahoo Finance, weather from the NWS, scores from ESPN. Summaries are AI-generated from the linked reporting; verify at the sources. ================================================================