================================================================ INFOSECFOLLOW -- security, markets, business, pittsburgh Wednesday, June 17, 2026 - 6:05 AM EDT ================================================================ Supply-chain attackers overran npm, the JetBrains marketplace, and GitHub in a single day as a self-spreading worm and 144 booby-trapped AI-framework packages widened the damage. CONTENTS: Emerging Trends | Security | Business and Politics | Pittsburgh | Sports | Reading | Markets EMERGING TRENDS ---------------------------------------------------------------- * Supply Chain: Attackers keep weaponizing the developer pipeline itself, hitting npm's Mastra packages, GitHub-hosted projects via the Shai-Hulud worm, the JetBrains marketplace, and Steam Workshop within hours of each other. * AI Tooling: Malware and flaws increasingly center on AI developer infrastructure, from the compromised Mastra AI framework and stolen LLM API keys to a code-execution bug in Google's Vertex AI SDK. * Defender Evasion: Several fresh techniques aim straight at endpoint defenses, with RoguePlanet abusing Microsoft Defender itself, GhostTree stalling Defender scans through NTFS junctions, and Phantom Stealer running entirely in memory. * Age Verification: Governments leaning on identity checks, including the UK under-16 social media ban and India's Telegram block, raise the same privacy and breach risks security experts keep flagging. * Exploited Flaws: Active exploitation continues to drive the patch agenda as Joomla, LiteSpeed, and FortiSandbox flaws hit the CISA catalog and tens of thousands of Fortinet firewalls turn up compromised. SECURITY ---------------------------------------------------------------- :: VULNERABILITIES AND EXPLOITS 1. WORM AND HIJACKED ACCOUNTS HIT THE SOFTWARE SUPPLY CHAIN [supply-chain, npm, worm] Latest developments: Attackers used a single hijacked npm account, ehindero, to mass-publish 144 malicious Mastra AI-framework packages in a campaign named easy-day-js, while researchers said GitHub had dismissed two vulnerability reports describing the design flaws now feeding Shai-Hulud worm variants across hundreds of packages. JFrog, SafeDep, Socket, and StepSecurity traced the easy-day-js attack, which planted code in 144 packages under the @mastra namespace, a popular JavaScript framework for building AI applications. Separately, researchers say GitHub rejected two formal reports identifying flaws that let Shai-Hulud worm variants infect packages and developer accounts worldwide. Chainguard answered with Athena, a coalition of more than two dozen firms—among them BNY, Cisco, Cloudflare, Docker, and JPMorganChase—that remediates open source bugs under embargo and has already shipped 2,000 patches across 500 projects. Developers should audit recent npm installs and lock dependency versions. - The Hacker News: https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html - The Record: https://therecord.media/github-dismissed-reports-shai-hulud-deep-specter - Help Net Security: https://www.helpnetsecurity.com/2026/06/17/chainguard-athena-coalition-fix-open-source-vulnerabilities/ 2. ROGUEPLANET ZERO-DAY TURNS MICROSOFT DEFENDER AGAINST ITSELF [zero-day, patch] Latest developments: Microsoft confirmed it is building a patch for RoguePlanet, a Defender zero-day disclosed a week ago whose public proof-of-concept exploits a race condition to spawn a command prompt with System privileges. RoguePlanet abuses a timing flaw inside Microsoft Defender, the very tool meant to protect Windows endpoints, to escalate an attacker to the highest privilege level. Public exploit code already circulates, raising the urgency of the coming fix. Microsoft has not given a patch date. Defenders should watch for unexpected System-level command prompts and apply the update the moment it ships. - SecurityWeek: https://www.securityweek.com/microsoft-working-on-patch-for-rogueplanet-zero-day/ - BleepingComputer: https://www.bleepingcomputer.com/news/microsoft/microsoft-working-on-defender-patch-for-rogueplanet-zero-day/ 3. 30,000 FORTINET FIREWALLS FOUND EXPOSED AS WEB FLAWS STAY HOT [patch, exploit] Latest developments: SOCRadar counted roughly 30,000 compromised Fortinet firewalls tied to the three FortiSandbox flaws under attack, while Joomla Content Editor flaw CVE-2026-48907 and LiteSpeed cPanel flaw CVE-2026-54420 continued drawing active exploitation for PHP code execution and root access. FortiSandbox underpins verdicts for other Fortinet products, so the exploitation of CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 ripples across customer defenses; SOCRadar's tally of 30,000 exposed firewalls measures the scale. The maximum-severity Joomla JCE flaw, CVE-2026-48907, and the LiteSpeed cPanel plugin bug, CVE-2026-54420, let attackers run arbitrary PHP and seize root on shared hosting. CISA has placed both web flaws in its known exploited catalog. Administrators should patch all affected appliances and audit hosting servers now. - SecurityWeek: https://www.securityweek.com/3-recently-patched-fortinet-fortisandbox-vulnerabilities-in-hacker-crosshairs/ - SecurityWeek: https://www.securityweek.com/joomla-litespeed-vulnerabilities-exploited-in-attacks/ - The Hacker News: https://thehackernews.com/2026/06/cisa-warns-of-actively-exploited-joomla.html :: RANSOMWARE AND CYBERCRIME 4. ROKAROLLA ANDROID TROJAN HITS 217 BANKING AND CRYPTO APPS [malware, android, banking-trojan] Latest developments: Zimperium's zLabs documented Rokarolla, a new Android banking trojan that targets 217 banking and cryptocurrency apps with 137 remote commands and spreads through fake TikTok and Chrome downloads. Rokarolla hands an operator near-total control of an infected phone: it lifts lock-screen PINs, reads and sends SMS, rewrites the clipboard to reroute crypto payments, and disables Google Play Protect. Its 137-command set blends banking fraud with broad device surveillance and persistence. Victims arrive through counterfeit TikTok and Chrome installers rather than official stores. Users should install apps only from trusted sources and confirm wallet addresses before sending funds. - The Hacker News: https://thehackernews.com/2026/06/new-rokarolla-android-malware-steals.html - BleepingComputer: https://www.bleepingcomputer.com/news/security/new-rokarolla-android-malware-targets-217-banking-crypto-apps/ - Dark Reading: https://www.darkreading.com/endpoint-security/rokarolla-android-trojan 5. CLICKFIX LOADERS AND STEALTHY STEALERS MULTIPLY [malware, phishing, ransomware] Latest developments: Morphisec, BlueVoyant, and Huntress detailed ClickFix campaigns pushing three new loaders—BabaDeda, Lorem Ipsum, and Potemkin—with analysts linking the Lorem Ipsum operation to the Vice Society extortion group, even as Phantom Stealer and the GhostTree technique advanced evasion. ClickFix lures trick users into running malicious commands through fake update prompts; the April BabaDeda wave struck education and financial targets, and the Lorem Ipsum campaign rode compromised WordPress sites tied to Vice Society. Alongside the loaders, the fileless Phantom Stealer runs in memory to grab browser credentials while dodging analysis, and the GhostTree attack uses recursive NTFS junctions to flood Windows with file paths, stalling Defender folder scans so malware stays hidden. The cluster shows attackers investing in delivery and concealment in equal measure. Defenders should block clipboard-pasted command execution and harden update-prompt awareness. - The Hacker News: https://thehackernews.com/2026/06/clickfix-campaigns-expand-malware.html - Dark Reading: https://www.darkreading.com/cyberattacks-data-breaches/lorem-ipsum-malware-clickfix-delivery - BleepingComputer: https://www.bleepingcomputer.com/news/security/ghosttree-attack-abused-recursive-windows-junctions-to-hide-malware/ - Dark Reading: https://www.darkreading.com/cyberattacks-data-breaches/fileless-phantom-stealer-targets-browser-credentials :: AI SECURITY 6. VERTEX AI BUG AND IDE PLUGINS EXPOSE AI WORKFLOWS [ai, supply-chain] Latest developments: Palo Alto Networks Unit 42 disclosed Pickle in the Middle, a Google Vertex AI SDK flaw that let an outsider hijack a victim's model upload and run code inside Google's serving infrastructure, while the JetBrains plugin campaign that steals AI API keys now pairs with Chrome extensions that capture chatbot conversations. Pickle in the Middle exploited bucket squatting in the Vertex AI SDK for Python, giving an attacker with no project access a path to code execution in Google's infrastructure; Unit 42 reported it through the bug bounty program and saw no exploitation in the wild. On the developer side, at least 15 JetBrains Marketplace plugins posing as DeepSeek-based coding assistants harvested AI provider keys, and researchers now tie the effort to Chrome extensions that siphon chatbot chats. Together they map a widening attack surface around AI development. Teams should rotate exposed API keys and vet every AI plugin and SDK dependency. - The Hacker News: https://thehackernews.com/2026/06/google-vertex-ai-sdk-flaw-let-attackers.html - The Hacker News: https://thehackernews.com/2026/06/malicious-jetbrains-plugins-steal-ai.html - BleepingComputer: https://www.bleepingcomputer.com/news/security/malicious-jetbrains-marketplace-plugins-steal-ai-api-keys-from-developers/ :: POLICY AND REGULATION 7. UK TO BAR UNDER-16S FROM SOCIAL MEDIA [policy, privacy] Latest developments: The UK confirmed a spring 2027 ban on under-16s using user-to-user social media, requiring everyone opening an account to prove their age by ID upload or facial scan, and privacy experts immediately warned the checks invite both circumvention and new data breaches. The rule forces platforms to verify ages for new accounts, pulling sensitive identity documents and biometric face data into systems that become fresh breach targets. Security researchers note that determined teenagers can route around age gates with little effort, undercutting the policy's goal while leaving the privacy cost in place. The measure lands amid wider government appetite for identity controls online. Platforms now face a 2027 deadline to build verification that holds personal data securely. - BleepingComputer: https://www.bleepingcomputer.com/news/security/uk-to-require-id-or-face-scan-before-you-can-make-social-media-accounts/ - Dark Reading: https://www.darkreading.com/cyber-risk/uk-social-media-ban-privacy-experts-worried :: NATION-STATE ACTIVITY 8. FISHMONGER PORTS SPRYSOCKS BACKDOOR TO WINDOWS [apt, nation-state] Latest developments: FishMonger, a China-nexus threat group, deployed an undocumented Windows variant of the SprySOCKS backdoor that abuses kernel drivers to evade detection, striking government targets in Honduras, Taiwan, Thailand, and Pakistan. SprySOCKS began life as a Linux backdoor; the new Windows build extends the group's reach into a fresh class of victims while using kernel-driver tricks to slip past endpoint defenses. The targeting concentrates on government bodies across Latin America and Asia. The move shows a state-aligned actor maturing tooling across operating systems. Affected agencies should hunt for unauthorized kernel drivers and unusual SOCKS traffic. - Dark Reading: https://www.darkreading.com/threat-intelligence/sprysocks-windows-variant-kernel-drivers BUSINESS AND POLITICS ---------------------------------------------------------------- * Fed Decides Under New Chair Warsh Latest developments: The Federal Open Market Committee meets today for the first time under Chair Kevin Warsh, with traders watching whether it drops its policy-easing bias. Kevin Warsh chairs his first Fed meeting Wednesday after a stretch of falling oil prices and renewed dollar strength. ING says removing the easing bias would support the dollar, while a signal at odds with market pricing could trigger a sharp selloff; stock futures rose ahead of the decision. - WSJ Markets: https://www.wsj.com/finance/currencies/asian-currencies-consolidate-before-decision-by-warsh-led-fomc-57537bfa?mod=rss_markets_main - WSJ Markets: https://www.wsj.com/livecoverage/fed-meeting-warsh-interest-rate-06-17-2026?mod=rss_markets_main - WSJ Markets: https://www.wsj.com/finance/stocks/oil-below-80-stock-futures-rise-before-warshs-first-fed-meeting-95970810?mod=rss_markets_main * IEA Warns of Coming Oil Glut Latest developments: Brent crude fell below $80 after reports the U.S.-Iran deal waives sanctions on Iranian oil sales, and the IEA said Tuesday that resumed flows will create a supply surge far outstripping demand growth next year. The International Energy Agency forecasts that once flows through the Strait of Hormuz normalize, oil production will rebound sharply enough to swamp demand and tip the market into a glut in 2027, reversing the wartime price shock. Brent dropped under $80 a barrel on the prospect of sanctions relief and reopened shipping lanes. - FT World: https://www.ft.com/content/43a47462-3102-4f77-a2fe-d9cf1217ac2f - WSJ Markets: https://www.wsj.com/finance/commodities-futures/oil-futures-rise-on-likely-technical-recovery-30bb6a90?mod=rss_markets_main - WSJ US Business: https://www.wsj.com/business/energy-oil/oil-supply-to-rebound-strongly-after-gulf-shock-but-recovery-will-take-months-iea-says-a0ccae8b?mod=pls_whats_news_us_business_f PITTSBURGH ---------------------------------------------------------------- Weather: Today: Mostly Sunny, high 82F. Tonight: Scattered Showers And Thunderstorms, low 69F. Thursday: Showers And Thunderstorms then Mostly Sunny, high 84F. Business: * Allegheny County Business Climate Latest developments: A Post-Gazette letter writer argues County Executive Sara Innamorato's parental-leave push and broader policies are driving employers out of Allegheny County. The letter contends Allegheny County must stop chasing businesses away, framing a mandated parental-leave proposal as a cost that weighs on local employers and the regional economy. - Pittsburgh Post-Gazette: https://www.post-gazette.com/local/2026/06/17/innamorato-allegheny-county-parental-leave-buisness-economy/stories/202606170003 * Greater Latrobe Holds the Line on Taxes Latest developments: The Greater Latrobe School Board adopted a $70 million final budget with no property-tax increase. Property owners in the Westmoreland County district will see no tax hike this year under the newly adopted spending plan. - TribLive: https://triblive.com/local/westmoreland/greater-latrobe-school-board-adopts-70-million-final-budget-with-no-tax-increase/ * Burrell Eyes a 3.5% Tax Hike Latest developments: The Burrell School Board will vote next week on a final budget carrying a 3.5% property-tax increase. Homeowners in the Westmoreland County district face higher taxes for the coming school year if the board approves the spending plan at next week's meeting. - TribLive: https://triblive.com/local/valley-news-dispatch/burrell-school-board-to-vote-next-week-on-final-budget-3-5-tax-hike/ Around town: * Severe Weather Alert for Thursday Latest developments: Forecasters declared Thursday a Severe Weather Alert Day for the Pittsburgh region, warning of flash flooding and gusty winds, after storms returning Wednesday. Storms move back into Western Pennsylvania this week, with Thursday carrying the higher risk of heavy rain, flash flooding, and damaging gusts following several pleasant days. - WTAE: https://www.wtae.com/article/severe-weather-alert-day-thursday-risk-for-flash-flooding-and-gusty-winds/71610265 * Pennsylvania Weighs Medicaid Cuts to Kids Latest developments: Advocates and state lawmakers are mapping ways to keep Pennsylvania children insured as looming federal Medicaid cuts threaten coverage. The Post-Gazette reports that Trump-administration Medicaid reductions could strip health coverage from many Pennsylvania children, prompting officials and advocates to search for ways to preserve it. - Pittsburgh Post-Gazette: https://www.post-gazette.com/news/health/2026/06/17/pennsylvania-medicaid-kids/stories/202606170005 * House Moves to Ban 'Gas Station Heroin' Latest developments: The Pennsylvania House passed a bill Tuesday to outlaw tianeptine, the opioid-like substance sold as 'gas station heroin.' Tianeptine, an addictive drug the FDA does not regulate, has been tied to hundreds of overdoses nationally, including an April death in Fayette County. The House-passed bill would make it illegal in Pennsylvania. - KDKA: https://www.cbsnews.com/pittsburgh/news/pennsylvania-house-bill-gas-station-heroin/ * CMU Fence Reignites Free Speech Debate Latest developments: A Carnegie Mellon group issued recommendations about The Fence, the campus's painted free-expression landmark, renewing debate over speech. The Fence has long served as Carnegie Mellon's open canvas for student messages. New recommendations from a campus group over its use have reopened arguments about the limits of free speech at the university. - Pittsburgh Post-Gazette: https://www.post-gazette.com/news/education/2026/06/17/cmu-fence-free-speech-controversy/stories/202606160040 * New Children's Space Opens in Troy Hill Latest developments: A new outdoor play-and-learn space for children opened at a Troy Hill school. Students at the Troy Hill school gained a fresh outdoor area to play and learn, WPXI reports, adding a neighborhood amenity on the city's North Side. - WPXI: https://www.wpxi.com/news/local/new-space-pittsburgh-children-play-learn-opens-troy-hill/VHBBWPRWK5AARCUNRHBEM5W5BY/ Events: * Third Eye Blind Coming to Pittsburgh Latest developments: In an exclusive City Paper interview published today, Third Eye Blind drummer Brad Hargreaves discussed the band's upcoming Pittsburgh concert and traced part of its origin to a visit to the Andy Warhol Museum. The 1990s alt-rock band Third Eye Blind plays an upcoming Pittsburgh show. Drummer Brad Hargreaves talked with City Paper about the city, the band's Warhol Museum inspiration, and celebrity feuds ahead of the date. - Pittsburgh City Paper: https://www.pghcitypaper.com/arts-entertainment-2/music/third-eye-blind-drummer-brad-hargreaves-exclusive-interview-warhol-museum/ SPORTS ---------------------------------------------------------------- Pirates (37-37) Tue Jun 16 · Pirates 6 · Athletics 5 · Final Lowe hits go-ahead homer, Reynolds connects twice as Pirates rally past Athletics for 6-5 victory https://plaintextsports.com/mlb/2026-06-16/pit-ath Up Next · Pirates @ Athletics · Wed Jun 17, 9:40 PM https://plaintextsports.com/mlb/2026-06-17/pit-ath Around the Teams: * Steelers Pass on Supplemental Draft QB Latest developments: The Post-Gazette reports the Steelers are unlikely to bid on quarterback Brendan Sorsby in the NFL's supplemental draft. With Drew Allar and the current quarterback room in place, the Steelers look set to sit out the supplemental draft rather than spend a future pick on Sorsby, the Post-Gazette reports. - Post-Gazette Steelers: https://www.post-gazette.com/sports/steelers/2026/06/16/sorsby-gambling-supplemental-draft-allar-howard/stories/202606160042 * Forging Steel Episode Two Drops Latest developments: The Steelers released the second episode of their documentary series Forging Steel, an inside look at the 2026 NFL Draft, with coach Mike McCarthy addressing the team. The team's YouTube channel posted Forging Steel, Season 1, Episode 2, titled 'Pittsburgh is on the Clock,' taking viewers behind the scenes of the Steelers' draft process and front-office decisions. - Pittsburgh Steelers (YouTube): https://www.youtube.com/watch?v=TkV9_btUE3c * SNR Drive Scouts the 2027 QBs Latest developments: On SNR Drive, Matt Williamson and Wes Uhler turned to the 2027 NFL Draft class, scouting the next generation of quarterbacks. The Steelers' SNR Drive hosts broke down college quarterbacks eligible in 2027, part of the show's continuing focus on where the team might find its long-term passer. - Pittsburgh Steelers (YouTube): https://www.youtube.com/watch?v=5tvT88338iI READING ---------------------------------------------------------------- * Stratechery -- The State of Fable, The Jailbreak Problem, SpaceX Acquires Cursor Thompson argues the administration is very likely wrong in its view of the Fable model, though he lays responsibility for the outcome on Anthropic, and weighs the jailbreak problem alongside SpaceX's acquisition of Cursor. https://stratechery.com/2026/the-state-of-fable-the-jailbreak-problem-spacex-acquires-cursor/ * Ed Zitron -- Exclusive: OpenAI Losses Increased Nearly 8X in 2025, With Spending Hitting $34 Billion Zitron reports OpenAI's losses grew almost eightfold in 2025 as spending reached $34 billion, arguing the figures undercut any credible path to profitability. https://www.wheresyoured.at/exclusive-openai-financials/ * Cal Newport -- AI Isn't Breaking Work. It's Already Broken. Drawing on an FT interview with the Work AI Institute's Rebecca Hinds, Newport argues knowledge work was already broken by overload and distraction long before AI arrived. https://calnewport.com/ai-isnt-breaking-work-its-already-broken/ MARKETS (weekly average, change vs prior week) ---------------------------------------------------------------- S&P 500 7,431.68 ▼ -0.4% Dow 51,128.10 ▲ +0.3% Nasdaq 25,985.66 ▼ -0.8% WTI crude 83.88 ▼ -8.6% EUR/USD 1.1569 ▼ -0.1% GBP/USD 1.3403 ▲ +0.1% USD/JPY 160.25 ▲ +0.1% ================================================================ Generated 2026-06-17 06:05 EDT. Sources: 24 security feeds; 9 Pittsburgh feeds; 4 Pittsburgh arts and events feeds; 6 Pittsburgh sports beat and podcast feeds; the Wall Street Journal, the Economist, and the Financial Times; and Ed Zitron, Stratechery, Cal Newport. Markets from Yahoo Finance, weather from the NWS, scores from ESPN. Summaries are AI-generated from the linked reporting; verify at the sources. ================================================================