================================================================ INFOSECFOLLOW -- security, markets, business, pittsburgh Thursday, June 18, 2026 - 12:18 AM EDT ================================================================ A low-skilled attacker wielding Anthropic's Claude Code and OpenAI's Codex breached 14 companies, the clearest sign yet that agentic AI is collapsing the skill floor for cyberattacks. CONTENTS: Emerging Trends and Key Updates | Security | Business and Politics | Pittsburgh | Sports | Reading | Markets EMERGING TRENDS AND KEY UPDATES ---------------------------------------------------------------- * Off-the-shelf coding agents like Claude Code and OpenAI's Codex now let novices run intrusions that once demanded years of skill, and defenders concede capable hacking models will spread no matter what export controls say. * Attackers keep seizing trusted package maintainers, this week hijacking one npm account to poison 144 Mastra AI-framework libraries that thousands of developers pull blind. * Cryptocurrency thieves dress malware in legitimacy through paid news posts, fake VirusTotal comments, and AI-narrated videos to push a worm-like clipper that quietly swaps wallet addresses at the moment of a transfer. * The United States and Iran signed a war-ending accord, effective immediately, ahead of Friday's ceremony. * At Warsh's first meeting the Fed held rates steady but signaled a year-end increase. * A FortiBleed leak exposed 73,932 Fortinet VPN credentials and 30,000 firewalls via FortiSandbox flaws. * A low-skilled attacker used Claude Code and Codex to breach 14 companies. * Nightmare Eclipse dropped three Microsoft zero-days, one bypassing BitLocker via a USB stick. * Microsoft and Check Point detailed a worm-like crypto clipper hijacking wallet addresses through fake hype. * Attackers hijacked 144 Mastra npm packages in a campaign codenamed easy-day-js. * An ICE procurement bought immigrants' tax IDs from a data broker, Senator Wyden calls overreach. * Storms and a tornado threat hit Western Pennsylvania Thursday morning, prompting outage warnings. SECURITY ---------------------------------------------------------------- 1. FORTIBLEED CREDENTIAL LEAK WIDENS Vulnerabilities and Exploits · [breach, credentials] Latest developments: BleepingComputer pinned the leak at 73,932 Fortinet and FortiGate VPN credential URLs, and SOCRadar counted 30,000 compromised firewalls exposed through three recently patched FortiSandbox flaws. The FortiBleed dump exposes working VPN credentials for tens of thousands of Fortinet devices at organizations across nearly 200 countries, among them Oracle, Lenovo, FedEx, and a NATO contractor. Rotate credentials and patch FortiSandbox at once. - BleepingComputer: https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/ - SecurityWeek: https://www.securityweek.com/3-recently-patched-fortinet-fortisandbox-vulnerabilities-in-hacker-crosshairs/ - Dark Reading: https://www.darkreading.com/cyberattacks-data-breaches/sweeping-credential-harvesting-heist-compromises-30k-fortinet-devices 2. SURVEILLANCE AND PRIVACY RULES SHIFT Policy and Regulation · [policy, privacy] Latest developments: A $10 million procurement reviewed by 404 Media shows ICE buying immigrants' tax identifiers from a data broker, which Senator Ron Wyden calls an end-run around a court order, as Google prepares to use UK and EU IP addresses for ad personalization from August 3 and Britain readies a social-media ban for under-16s. Governments and platforms are widening data collection on citizens, spanning immigration enforcement, ad targeting, and age verification. Privacy experts warn each move erodes anonymity and expands the surveillance surface. - 404 Media: https://www.404media.co/ice-appears-to-be-buying-immigrants-tax-identifiers-from-a-data-broker/ - BleepingComputer: https://www.bleepingcomputer.com/news/security/google-to-use-uk-and-eu-user-ip-addresses-for-ad-personalization/ - Dark Reading: https://www.darkreading.com/cyber-risk/uk-social-media-ban-privacy-experts-worried 3. AGENTIC AI COLLAPSES THE ATTACKER SKILL FLOOR AI Security · [ai, malware] Latest developments: OALABS recovered more than 1,000 agent sessions from a compromised server and found a low-skilled attacker ran Anthropic's Claude Code and OpenAI's Codex to slip past their guardrails and breach 14 companies. Researchers warn agentic coding tools hand novices the reach of seasoned intruders, and Ars Technica adds that models with strong hacking ability will become common whatever export rules say. Treat AI agents as a live offensive capability and tighten monitoring of their use. - Help Net Security: https://www.helpnetsecurity.com/2026/06/17/ai-agents-offensive-cyber-operations-claude-codex/ - Ars Technica Security: https://arstechnica.com/ai/2026/06/dangerous-ai-models-are-coming-no-matter-what/ 4. SECURE BOOT AND BITLOCKER DEFENSES FALTER Vulnerabilities and Exploits · [zero-day, patch] Latest developments: Ars Technica warned that Secure Boot signing keys on Windows and Linux machines expire soon and need replacing, while the leaker Nightmare Eclipse dropped three Microsoft zero-days, one letting anyone with a USB stick walk past BitLocker disk encryption. Expiring Secure Boot keys threaten to break trusted boot, and the BitLocker bypass undermines full-disk encryption on lost or stolen laptops. Update Secure Boot keys before the deadline and watch for Microsoft's emergency fixes. - Ars Technica Security: https://arstechnica.com/security/2026/06/windows-and-linux-users-the-deadline-to-update-secure-boot-keys-is-near/ - Graham Cluley: https://grahamcluley.com/smashing-security-podcast-472/ 5. CRYPTO CLIPPER SPREADS THROUGH FAKE HYPE Ransomware and Cybercrime · [malware, cryptocurrency] Latest developments: Microsoft Threat Intelligence and Check Point Research detailed a clipboard-hijacking clipper that swaps cryptocurrency wallet addresses, spreads worm-like, reaches Tor command servers, and builds buzz through paid news posts, fake VirusTotal comments, and AI-narrated YouTube videos. The clipper replaces a copied wallet address with the attacker's the moment a victim pastes it, diverting transfers, and plants a lightweight backdoor for follow-on access. Verify pasted crypto addresses and shun software promoted through unsolicited reviews. - Microsoft Security Blog: https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/ - The Hacker News: https://thehackernews.com/2026/06/crypto-clipper-campaign-abuses-fake.html 6. MASTRA NPM PACKAGES HIJACKED Vulnerabilities and Exploits · [supply-chain, npm] Latest developments: Attackers hijacked the npm account ehindero to compromise 144 packages in the Mastra AI-framework namespace, a campaign Endor Labs, JFrog, SafeDep, Socket, and StepSecurity codenamed easy-day-js. Mastra is a widely used open-source JavaScript and TypeScript framework for building AI applications, so the poisoned @mastra/* packages endanger every project that pulls them. Pin versions, audit installs, and rotate any exposed tokens. - The Hacker News: https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html BUSINESS AND POLITICS ---------------------------------------------------------------- * U.S. and Iran Sign War-Ending Accord Latest developments: The United States and Iran signed the memorandum of understanding Wednesday, days ahead of the Friday ceremony planned in Switzerland, and Pakistan's prime minister said it took immediate effect. The accord winds down the war that began February 28, releases Iran's frozen funds, and eases banking and transport sanctions while letting Tehran keep its ballistic missiles; the Wall Street Journal estimates the restored oil sales could earn Iran more than $60 billion a year, and President Trump warned he could resume bombing if Tehran breaks the terms. - FT World: https://www.ft.com/content/d4f89b6b-c213-4550-924b-a9ae45e24c37 - WSJ World News: https://www.wsj.com/world/middle-east/deal-gives-iran-chance-to-turbocharge-its-oil-revenue-5b481eb6 * Warsh Fed Signals a Rate Rise Latest developments: At Kevin Warsh's first meeting as chair the Federal Open Market Committee held its benchmark rate steady in a unanimous vote, and officials' new projections pointed to at least one increase by year-end, sending stocks lower and Treasury yields and the dollar higher. Warsh, who scrapped the Fed's explicit forward guidance and dropped its bias toward cuts, framed the hawkish turn as taming the inflation jolt from the Iran war, which has pushed prices toward double the central bank's 2% target. - FT World: https://www.ft.com/content/f2463587-91e9-4da4-94b2-9cb9a270b74a - WSJ Markets: https://www.wsj.com/finance/stocks/global-stocks-markets-dow-update-06-17-2026-05228bac?mod=rss_markets_main - FT Markets: https://www.ft.com/content/0fda593c-7de5-44e2-825c-53d7451d5f70 PITTSBURGH ---------------------------------------------------------------- Weather: Overnight: Scattered Showers And Thunderstorms, low 68F. Thursday: Chance Showers And Thunderstorms then Mostly Sunny, high 84F. Thursday Night: Partly Cloudy, low 59F. Business: * Skill-Games Taxation in Limbo Latest developments: Pennsylvania operators, lawmakers, and players are weighing how the machines will be taxed after this week's state Supreme Court ruling classified skill games as slot machines under state law. The decision subjects the thousands of skill games in Pennsylvania bars, convenience stores, and clubs to gaming regulation, and Harrisburg now faces pressure to set a tax rate on a market that has run untaxed for years. - WPXI: https://www.wpxi.com/news/local/pennsylvanians-weigh-court-ruling-that-could-lead-taxation-skill-games/SH3EGHR7OREYNL5727KLV52Y2Y/ * Pittsburgh Limits Vape Shops by Zoning Latest developments: Mayor Corey O'Connor signed an ordinance Wednesday that uses zoning rules to restrict where vape shops can operate in Pittsburgh. The legislation sets zoning limits on vape and tobacco retailers across the city, the latest municipal effort to curb their spread. - KDKA: https://www.cbsnews.com/pittsburgh/video/pittsburgh-mayor-signs-vape-shop-zoning-ordinance/ Around town: * Storms, Tornado Threat Hit Region Thursday Morning Latest developments: Storms moved into Western Pennsylvania overnight into Thursday, June 18, carrying a tornado risk, flash flooding, and damaging winds, and Duquesne Light urged customers to ready for outages. The National Weather Service flagged the early-Thursday system as a severe-weather threat for the Pittsburgh region, with strong low-level wind shear keeping storms organized through the morning commute before gusty winds linger most of the day. - WTAE: https://www.wtae.com/article/severe-weather-alert-day-thursday-risk-for-flash-flooding-and-gusty-winds/71610265 - WPXI: https://www.wpxi.com/weather/strong-storms-move-through-western-pennsylvania-overnight/ORMIOYKVENELRORRRU5VCTP53Q/ - WTAE: https://www.wtae.com/article/duquesne-light-western-pa-storms-june-18-2026/71618783 * Commercial Street to Close June 29 Latest developments: PennDOT moved up the closure under the Commercial Street Bridge on the Parkway East to June 29, earlier than the early-July start it first announced, ahead of a full bridge closure in July. The work on Interstate 376 in Pittsburgh's East End will shut Commercial Street beneath the span, a change that has drawn complaints from nearby residents. - WTAE: https://www.wtae.com/article/commercial-street-to-close-earlier-than-anticipated-residents-outraged/71607218 * Pittsburgh Relaunches Police Co-Response Teams Latest developments: Pittsburgh's Office of Community Health and Safety relaunched and moved to expand its co-response program Wednesday, pairing a police officer with a social worker on certain 911 calls. Community social worker Jaime Gribben-Mahoney and her police partners answer mental-health and related calls together in Downtown Pittsburgh, an approach the city says reaches people reluctant to deal with officers alone. - WPXI: https://www.wpxi.com/news/local/pittsburgh-relaunches-ochs-co-response-program-mental-health-emergencies/TLVPLQCAM5DYXGGVRCWYY3R6YE/ - KDKA: https://www.cbsnews.com/pittsburgh/news/pittsburgh-co-response-program-expansion/ Events: * Juneteenth Observances Across Pittsburgh Latest developments: Pittsburgh's Juneteenth festivals, film screenings, and gatherings run up to the June 19 holiday, now two days out. The Pittsburgh Post-Gazette's guide rounds up the region's June 19 observances, from festivals to film screenings marking the end of slavery in the United States. - Post-Gazette Arts & Entertainment: https://www.post-gazette.com/life/recreation/2026/06/16/juneteenth-events-pittsburgh-2026/stories/202606170002 SPORTS ---------------------------------------------------------------- Pirates (37-37) Wed Jun 17 · Pirates 12 · Athletics 3 · Bot 8th (in progress at last update) https://plaintextsports.com/mlb/2026-06-17/pit-ath Up Next · Pirates @ Rockies · Fri Jun 19, 8:40 PM https://plaintextsports.com/mlb/2026-06-19/pit-col Around the Teams: * Steelers Likely to Pass on QB Brendan Sorsby Latest developments: Post-Gazette writers said this week the Steelers should and likely will sit out any bid for quarterback Brendan Sorsby in the NFL supplemental draft. Sorsby became available through the supplemental draft after a gambling matter, and the Post-Gazette's analysis concluded the Steelers have little reason to spend a pick to acquire him. - Post-Gazette Steelers: https://www.post-gazette.com/sports/steelers/2026/06/17/nfl-news-rumors-brendan-sorsby/stories/202606170039 - Post-Gazette Steelers: https://www.post-gazette.com/sports/steelers/2026/06/16/sorsby-gambling-supplemental-draft-allar-howard/stories/202606160042 * Film Room: Rookie DT Gabriel Rubio Latest developments: The Post-Gazette's film breakdown cast Steelers defensive tackle Gabriel Rubio, from Notre Dame, as a solid run defender whose violent hands hold up at the point of attack. Rubio projects as a rotational run-stopper on a Steelers defensive line that includes Derrick Harmon. - Post-Gazette Steelers: https://www.post-gazette.com/sports/steelers/2026/06/17/steelers-film-room-gabriel-rubio-notre-dame-vega-ioane-derrick-harmon/stories/202606170036 * Ex-Steel City Infielders Return With Athletics Latest developments: Jacob Wilson and Alika Williams, in town with the Athletics for the series against the Pirates, told the Post-Gazette they hold fond memories of their time in Pittsburgh. The two Athletics infielders, with Pittsburgh roots, reflected on their days in the city as the clubs met this week at PNC Park. - Post-Gazette Pirates: https://www.post-gazette.com/sports/pirates/2026/06/17/athletics-jack-jacob-wilson-alika-williams-mlb/stories/202606170031 READING ---------------------------------------------------------------- * Stratechery -- The State of Fable, The Jailbreak Problem, SpaceX Acquires Cursor Argues the Trump administration is very likely wrong about Anthropic's Fable model, and that responsibility for the jailbreak problem ultimately rests with Anthropic itself. https://stratechery.com/2026/the-state-of-fable-the-jailbreak-problem-spacex-acquires-cursor/ * Ed Zitron -- Exclusive: OpenAI Losses Increased Nearly 8X in 2025, With Spending Hitting $34 Billion Reports that OpenAI's losses grew nearly eightfold in 2025 as spending reached $34 billion, building the case that the company has no path to profitability. https://www.wheresyoured.at/exclusive-openai-financials/ * Cal Newport -- AI Isn't Breaking Work. It's Already Broken. Responds to a Financial Times interview with Rebecca Hinds of the Work AI Institute about a survey of 6,000 workers, arguing the dysfunction people blame on AI was already built into modern knowledge work. https://calnewport.com/ai-isnt-breaking-work-its-already-broken/ MARKETS (weekly average, change vs prior week) ---------------------------------------------------------------- S&P 500 7,462.30 ▲ +0.8% Dow 51,442.85 ▲ +1.3% Nasdaq 26,156.09 ▲ +1.1% WTI crude 81.24 ▼ -10.4% EUR/USD 1.1584 ▲ +0.2% GBP/USD 1.3414 ▲ +0.3% USD/JPY 160.25 ▲ +0.1% ================================================================ Generated 2026-06-18 00:18 EDT. Sources: 24 security feeds; 9 Pittsburgh feeds; 4 Pittsburgh arts and events feeds; 6 Pittsburgh sports beat and podcast feeds; the Wall Street Journal, the Economist, and the Financial Times; and Ed Zitron, Stratechery, Cal Newport. Markets from Yahoo Finance, weather from the NWS, scores from ESPN. Summaries are AI-generated from the linked reporting; verify at the sources. ================================================================