daily plain-text briefing: security, markets, business, and pittsburgh
A Russian-speaking crew accidentally leaked working VPN credentials for nearly 74,000 Fortinet firewalls—reaching Oracle, Lenovo, FedEx, and a NATO contractor—while fresh supply-chain attacks poisoned WordPress and npm software channels.
Latest developments: Researcher Volodymyr "Bob" Diachenko traced FortiBleed to a Russian-speaking cybercriminal group that accidentally exposed the stolen credentials, tools, and artifacts on one of its own servers.
FortiBleed is a dump of VPN credentials pulled from the configuration files of roughly 74,000 Fortinet and FortiGate firewalls worldwide, with affected organizations including Oracle, Lenovo, FedEx, a NATO contractor, and Fortinet itself; attackers have already compiled verified working logins and compromised more than 30,000 devices across nearly 200 countries. Administrators should rotate VPN credentials and audit firewall configurations.
Sources: BleepingComputer · Help Net Security · Ars Technica Security · Dark Reading · ↑ top
Latest developments: Attackers hijacked ShapedPlugin's official update system to push infected WordPress plugin releases to paying customers, while Microsoft detailed a poisoned Mastra npm package that hid a postinstall payload across more than 140 projects.
Attackers are subverting trusted software-distribution channels rather than breaching targets directly, sending tainted releases through legitimate vendor update flows and package registries; GitGuardian notes the same year already brought Megalodon's 5,500 backdoored GitHub repositories and the cross-registry TrapDoor campaign. Teams should audit dependencies and watch developer endpoints for harvested secrets.
Sources: BleepingComputer · Microsoft Security Blog · Help Net Security · ↑ top
Latest developments: Cisco patched a critical command-execution flaw in Identity Services Engine that lets an attacker reach the underlying operating system and escalate to root, Atlassian and Splunk fixed critical bugs—Splunk an OS command injection in its AI Toolkit—and Apple closed a high-severity Beats Studio Buds Bluetooth flaw that let nearby attackers eavesdrop on conversations.
A wave of out-of-band and scheduled fixes spans enterprise and consumer gear, with the Cisco ISE root-access bug the most dangerous of the set. Administrators should apply each vendor's update promptly, prioritizing the Cisco ISE patch.
Sources: SecurityWeek · SecurityWeek · BleepingComputer · ↑ top
Latest developments: SecurityWeek detailed Rokarolla, an Android banking trojan that targets 200 applications to seize control of infected devices and harvest sensitive data, while Roblox developers told 404 Media that hackers now hijack entire games rather than steal in-game items.
Financially motivated crews are moving toward consumer platforms with high payoff, draining mobile banking apps through device-takeover malware and commandeering Roblox games that earn creators millions through in-game purchases. Users should install apps only from vetted sources, and Roblox studios should harden account access.
Sources: SecurityWeek · Help Net Security · ↑ top
Latest developments: The European Union granted Ukraine access to its reserve of pre-approved cybersecurity incident-response firms as Kyiv moves toward formal accession, and launched Shield-6G to defend future 6G networks with AI threat detection, digital twins, and honeypots.
Brussels is widening its collective cyber posture, folding Ukraine into the bloc's emergency-response pool and funding early research to secure next-generation 6G carrier networks. Both moves aim to position European defenders ahead of state-backed threats.
Sources: The Record · Dark Reading · ↑ top
Latest developments: India told the Delhi High Court that it warned Telegram about two weeks before the block and that the platform admitted it could not proactively detect the channels selling leaked exam papers; Telegram says it cooperated and calls the ban unlawful.
India blocked Telegram until June 22 after leaked exam papers spread on the app, and chief executive Pavel Durov accused telecom Reliance of BGP hijacking that knocked the service offline as far away as the United Arab Emirates. The dispute now turns on whether Telegram could have policed the channels.
Sources: BleepingComputer · BleepingComputer · ↑ top
Latest developments: The Bank of England left its benchmark rate at 3.75% Thursday and signaled it may yet raise rates if the reopening of the Strait of Hormuz fails to unwind the energy-driven inflation the war touched off.
The Bank of England's Monetary Policy Committee held UK interest rates at 3.75%, with a majority preferring to wait and watch even as the US-Iran deal pushed oil prices lower; the bank flagged a possible future increase to curb inflation stoked by the wartime closure of the Hormuz energy bottleneck.
Today: Chance Rain Showers then Mostly Sunny, high 83F.
Tonight: Partly Cloudy, low 59F.
Juneteenth: Sunny, high 78F.
Latest developments: The Post-Gazette examined how U.S. Steel's Mon Valley Works has changed in the year since Japan's Nippon Steel completed its acquisition.
A year after Nippon Steel took over U.S. Steel, the Post-Gazette assessed the changes at the Mon Valley Works, the Pittsburgh-area steelmaking operations that sat at the center of the long-contested deal.
Sources: Pittsburgh Post-Gazette · ↑ top
Latest developments: John Pastorek is opening an independent pharmacy in Blairsville, running against the national decline of neighborhood drugstores.
John Pastorek, who learned the trade working alongside his mother at Freeport Pharmacy, plans to open an independent pharmacy in Blairsville, bucking the national trend of independent-pharmacy closures driven by chains and pharmacy-benefit managers.
Latest developments: Penn Township commissioners voted Wednesday to ban e-bikes and e-scooters from the township's Municipal Park Complex.
Penn Township's board of commissioners passed an ordinance prohibiting e-bicycles and e-scooters in the Municipal Park Complex, citing safety concerns for park visitors and riders alike; township manager Mary Perez announced the decision.
Latest developments: Leetsdale officials fired the borough manager and hired an interim replacement.
Leetsdale Borough, in the Sewickley area of Allegheny County, dismissed its borough manager and installed an interim replacement, the latest turnover atop the borough's administration.
Latest developments: Renovations and upgrades are reviving Greensburg's 100-year-old Palace Theatre.
The Palace Theatre, a century-old venue in downtown Greensburg, Westmoreland County, is undergoing renovations and equipment upgrades aimed at bringing new life to the historic stage.
Latest developments: Pittsburgh's Juneteenth festivities are underway, headlined by the unveiling of a historical marker honoring abolitionist George B. Vashon.
CitiParks and community groups are staging Juneteenth events across Pittsburgh around the June 19 holiday—festivals, performances, films, and a turtle race—anchored by the unveiling of a historical marker honoring George B. Vashon, the 19th-century Black abolitionist and educator.
Sources: WTAE · Pittsburgh Post-Gazette · ↑ top
Pirates (38-37)
Wed Jun 17 · Pirates 12 · Athletics 4 · Final
Ryan O'Hearn knocks in career-high 6 runs as Pirates roll to 12-4 victory over Athletics
Up Next · Pirates @ Rockies · Fri Jun 19, 8:40 PM
Latest developments: Steelers beat writers say Pittsburgh should and likely will avoid quarterback Brendan Sorsby in the NFL's supplemental draft.
Quarterback Brendan Sorsby became eligible for the NFL's supplemental draft after a gambling matter; Post-Gazette writers, including Gerry Dulac, argued the Steelers are right to steer clear of him despite the team's longer-term questions at the position.
Sources: Pittsburgh Post-Gazette · Pittsburgh Post-Gazette · ↑ top
S&P 500 7,462.30 ▲ +0.8% Dow 51,442.85 ▲ +1.3% Nasdaq 26,156.09 ▲ +1.1% WTI crude 81.24 ▼ -10.4% EUR/USD 1.1584 ▲ +0.2% GBP/USD 1.3414 ▲ +0.3% USD/JPY 160.25 ▲ +0.1%