daily plain-text briefing: security, markets, business, and pittsburgh
Attackers turned the defenders' own gear against them, exploiting Fortinet's FortiSandbox and Cisco's SD-WAN Manager as CISA stacked fresh patch deadlines and a ransomware crew hid inside Microsoft Teams.
Latest developments: Defused logged attacks against three FortiSandbox flaws—CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089—inside 24 hours, one of them patched only last week, and judged one of the exploits vibe-coded and likely faulty.
FortiSandbox renders threat verdicts that other Fortinet products trust to block traffic and trigger automated responses, so compromising it blinds an entire defensive stack. CVE-2026-39813, a path-traversal flaw in the JRPC API, rates 9.1. Organizations running FortiSandbox should apply Fortinet's fixes now and hunt for forged verdicts or unexpected API calls.
Sources: Help Net Security · The Hacker News · BleepingComputer
Latest developments: CISA added Joomla Content Editor flaw CVE-2026-48907 to its known exploited catalog, gave agencies until June 18 to patch LiteSpeed cPanel plugin flaw CVE-2026-54420, and Cisco shipped fixes for Catalyst SD-WAN Manager flaw CVE-2026-20262, which it found in internal testing yet attackers reached first.
All three flaws give attackers a foothold on internet-facing infrastructure: Joomla content editing, LiteSpeed's cPanel plugin at root, and Cisco's SD-WAN management plane. CVE-2026-54420 rates 8.5 and enables root privilege escalation. Federal civilian agencies face binding deadlines, and private operators of the same software should treat the timelines as their own.
Sources: CISA Advisories · BleepingComputer · Help Net Security
Latest developments: The Atomic supply-chain campaign against the Arch User Repository grew to roughly 1,500 malicious packages, and Arch Linux suspended new account registrations to stem the upload wave.
Attackers rewrote build scripts across AUR packages to ship a Rust infostealer and an eBPF rootkit, expanding from the roughly 400 packages reported earlier in the week. The community repository lets any registered user publish, which made it easy to flood with tainted entries. Arch users should audit recently installed AUR packages, rebuild from clean sources, and assume credentials touched on affected systems are exposed.
Sources: SecurityWeek
Latest developments: Symantec caught the DragonForce ransomware group routing command-and-control traffic through Microsoft Teams TURN relay infrastructure with custom malware called Backdoor.Turn during an intrusion at a U.S. services company, the first known abuse of Teams relays for this purpose.
DragonForce runs a ransomware-as-a-service operation active since 2023, arming affiliates for a cut of payments. By tunneling traffic through Teams relays, the group disguises its command channel as routine collaboration traffic that defenders rarely block. Security teams should scrutinize Teams TURN connections and treat unexplained relay traffic as a possible hiding place for malware.
Sources: Help Net Security · BleepingComputer
Latest developments: Dozens of security professionals signed an open letter pressing Washington to reverse its order blocking export of Anthropic's Claude Fable 5 and Mythos 5, and Wired argued models with advanced hacking ability will soon be common regardless of the restriction.
The Trump administration ordered Anthropic to block all foreign nationals, pulling both models worldwide on June 13 and framing the move as export control over offensive AI capability. Signatories call the cited jailbreak narrow and the underlying ability already widespread, warning the ban hampers defenders more than attackers. The fight sets an early precedent for how governments treat frontier models that can find and exploit software flaws.
Sources: Dark Reading · Wired Security
Latest developments: Researchers disclosed SearchLeak, a critical Microsoft Copilot flaw that let attackers steal users' two-factor authentication codes, and BleepingComputer found at least 15 malicious JetBrains Marketplace plugins harvesting developers' AI API keys.
SearchLeak shows how prompt and retrieval features can be turned to exfiltrate sensitive data the assistant can see, including login codes. The rogue JetBrains plugins target the API keys developers store for their AI services, handing attackers paid access and a route into projects. Developers should remove untrusted plugins, rotate exposed keys, and treat AI assistants as systems that handle secrets.
Sources: Ars Technica Security · BleepingComputer
Latest developments: iRhythm confirmed hackers stole patient personal and health data from third-party-hosted apps and demanded a ransom, the FulcrumSec group claimed it lifted 1.3TB from Novo Nordisk, and attackers published Madison Square Garden and New York Knicks data, including a risk-rated list of celebrities and players.
iRhythm, a cardiac-monitoring firm, learned of its breach on June 8 and traced the loss to business applications hosted by an outside provider. The Novo Nordisk and MSG dumps show extortion crews chasing both regulated health records and embarrassing internal files. Affected customers and patients should expect targeted phishing and watch for fraud tied to the stolen records.
Sources: BleepingComputer · SecurityWeek · 404 Media
Latest developments: Genians Security Center reported North Korea's ScarCruft, also tracked as APT37, sending spear-phishing emails that impersonate Microsoft account security notifications to deploy a new remote-access trojan called NarwhalRAT.
ScarCruft is a long-running North Korean espionage group that favors social-engineering lures aimed at researchers, defectors, and officials. The fake security alerts play on recipients' fear that their accounts are at risk, prompting the click that installs NarwhalRAT. Defenders should flag emails impersonating Microsoft account warnings and verify any such notice through the account portal rather than email links.
Sources: The Hacker News
Latest developments: The Bank of Japan lifted its policy rate to 1% on Tuesday, a step beyond the central-bank moves tracked in prior briefings and a milestone in its long exit from near-zero rates.
Japan's central bank pushed its benchmark to 1%, the highest in roughly two decades, as it normalizes policy after years of ultra-loose settings. The move firms global yields and reshapes the carry trade that funnels Japanese capital abroad.
Sources: Financial Times
Latest developments: Terms emerged Tuesday showing the U.S.-Iran agreement lets Tehran sell oil immediately and waives banking and transport sanctions, an early financial benefit beyond the signing reported earlier.
The accord ending the war restores Iran's access to oil markets and the financial system needed to transact, hastening a supply recovery. Brent crude fell below $80 for a fourth straight session as traders priced the return of Strait of Hormuz flows.
Sources: Wall Street Journal · Financial Times
Tonight: Mostly Cloudy then Chance Rain Showers, low 59F.
Wednesday: Mostly Sunny, high 81F.
Wednesday Night: Slight Chance Showers And Thunderstorms, low 68F.
Latest developments: Officials say Monday's state Supreme Court ruling that skill games must follow gaming law could finally push Harrisburg lawmakers to regulate and tax the machines.
Pennsylvania's high court held that the loosely regulated skill games in bars, convenience stores, and clubs count as slot machines under state law. Lawmakers have stalled for years on rules and taxes for the devices, and officials see the decision as the spark to act.
Sources: TribLive
Latest developments: WTAE profiled the Mon Valley Works and the workers who keep Pittsburgh's steelmaking tradition alive, framing the industry's role in building modern America.
Pittsburgh's steel mills shaped skyscrapers, bridges, and wartime production for more than a century, and the Mon Valley Works still runs today. The piece centers on the pride of current workers carrying a generations-old trade.
Sources: WTAE
Latest developments: Pittsburgh City Council is reviewing a proposed $445,000 settlement for nine people hurt when the Fern Hollow Bridge collapsed on January 28, 2022.
The Forbes Avenue bridge over Frick Park fell on a snowy morning, dropping vehicles and a bus into the ravine. The proposed payout would resolve claims from nine victims, with council weighing approval.
Sources: WTAE
Latest developments: The National Weather Service confirmed two more tornadoes in Butler County, including an EF1 near Moraine State Park, raising Sunday's regional total to five across eastern Ohio and northwestern Pennsylvania.
Sunday's line of severe storms spawned multiple twisters, with surveys still ongoing. Earlier confirmations covered Beaver County and Columbiana County, Ohio; the Butler County additions bring the count to five.
Sources: KDKA
Latest developments: CitiParks reopened its free summer meal program Tuesday, offering breakfast, lunch, and snacks to any child under 18 through mid-August.
As Pittsburgh schools close, the city, Pittsburgh Public Schools, and the Greater Pittsburgh Community Food Bank serve free meals at eight rec centers and more than 40 partner sites. No registration is required for children under 18.
Sources: KDKA
Latest developments: Pennsylvania granted $125,000 to the South Side Community Action Network to hire private security this summer for the adults-only South Side Street Fest along East Carson Street.
East Carson Street anchors much of Pittsburgh's nightlife, and the network runs a summer festival there. The state money pays private guards to supplement city police at the event.
Sources: TribLive
Latest developments: Xfinity restored service Tuesday to Mt. Oliver customers on Margaret Street after a near-48-hour outage that cut residents off from remote work.
The blackout left a borough block disconnected for two days, stranding people who clock in for jobs online. Comcast brought the connection back Tuesday.
Sources: KDKA
Latest developments: The Post-Gazette rounded up Pittsburgh's Juneteenth observances for the June 19 holiday, spanning festivals, film screenings, and more.
Juneteenth, Friday, June 19, 2026, marks the end of slavery in the United States. Pittsburgh hosts a slate of festivals, films, and gatherings around the date; see the guide for locations and times.
Sources: Post-Gazette Arts & Entertainment
Pirates (36-37)
Mon Jun 15 · Pirates 2 · Athletics 11 · Final
Nick Kurtz and Jeff McNeil power the A's to an 11-2 victory over the struggling Pirates
Up Next · Pirates @ Athletics · Tue Jun 16, 9:40 PM
Latest developments: The Post-Gazette featured Pirates prospect Kyler Fedko making his major-league debut, watched from the stands by his father, Pittsburgh broadcaster John Fedko.
Fedko reached the majors with the Pirates, a milestone the paper framed through his proud father's presence. The piece runs as a human-interest look at the call-up.
Sources: Post-Gazette Pirates
Latest developments: On Tuesday's SNR Drive, Matt Williamson and Wes Uhler ran through league news, broke down Evan Silva's 2026 fantasy quarterback tiers, and weighed the best offseason moves and longest playoff droughts.
The Steelers' SNR Drive is a daily team-channel show with analysts Matt Williamson and Wes Uhler. The June 16 episode mixed minicamp storylines with a fantasy-football quarterback ranking.
Sources: Pittsburgh Steelers (YouTube)
Latest developments: A Post-Gazette video assessed which Steelers rookies looked ready to contribute after OTAs and minicamp, singling out receiver Germie Bernard and offensive lineman Max Iheanachor.
Pittsburgh wrapped its spring program, giving beat writers a first read on the draft class. The video weighs which newcomers could earn early roles.
Sources: Post-Gazette Steelers
Latest developments: MiLB Monday in the Post-Gazette asked whether former top Pirates pick Termarr Johnson is turning his minor-league season around.
Johnson, a high first-round selection, has struggled to develop in the Pirates system. The column tracks recent signs of improvement among him and other prospects.
Sources: Post-Gazette Pirates
S&P 500 7,431.68 ▼ -0.4% Dow 51,128.10 ▲ +0.3% Nasdaq 25,985.66 ▼ -0.8% WTI crude 86.31 ▼ -7.1% EUR/USD 1.1569 ▼ -0.1% GBP/USD 1.3403 ▲ +0.1% USD/JPY 160.25 ▲ +0.1%