================================================================ INFOSECFOLLOW -- security, markets, business, pittsburgh Thursday, June 18, 2026 - 9:05 AM EDT ================================================================ A Russian-speaking crew accidentally leaked working VPN credentials for nearly 74,000 Fortinet firewalls—reaching Oracle, Lenovo, FedEx, and a NATO contractor—while fresh supply-chain attacks poisoned WordPress and npm software channels. CONTENTS: Emerging Trends and Key Updates | Security | Business and Politics | Pittsburgh | Sports | Reading | Markets EMERGING TRENDS AND KEY UPDATES ---------------------------------------------------------------- * [TREND] Attackers are poisoning trusted software pipelines, slipping infected ShapedPlugin updates to paying WordPress customers and hiding a payload in a Mastra npm package across 140-plus projects. see: Supply-Chain Attacks Poison WordPress and npm * [UPDATE (updated)] Researcher Volodymyr Diachenko traced the FortiBleed dump of working logins for nearly 74,000 Fortinet firewalls to a Russian-speaking crew that exposed the loot on its own server. see: FortiBleed Credential Leak Traced to Russian Crew * [TREND] Cybercriminals are chasing softer targets, building the Rokarolla trojan to drain 200 Android banking apps while hijacking entire Roblox games from their creators. see: Malware Targets Android Banking and Roblox Games * [UPDATE (new)] Vendors shipped critical fixes, with Cisco patching a root-level command flaw in Identity Services Engine and Splunk closing an OS command injection in its AI tooling. see: Vendors Patch Critical Cisco, Atlassian, Splunk, and Apple Flaws * [UPDATE (new)] Governments tightened defenses as the EU extended its incident-response reserve to Ukraine and launched Shield-6G, while India defended its Telegram ban in the Delhi High Court. see: EU Extends Cyber Defenses to Ukraine and 6G; Telegram Ban Lands in India's Courts * [TREND] Commentators reassessed AI's economics, as Zitron reports OpenAI's $34 billion spend, Newport argues AI merely exposes already-broken knowledge work, and Morton weighs its e-commerce reshaping. see: Exclusive: OpenAI Losses Increased Nearly 8X in 2025, With Spending Hitting $34 Billion; AI Isn't Breaking Work. It's Already Broken.; An Interview with Michael Morton About E-Commerce in the Age of AI SECURITY ---------------------------------------------------------------- 1. FORTIBLEED CREDENTIAL LEAK TRACED TO RUSSIAN CREW Data Breaches · [breach, credentials, vpn] Latest developments: Researcher Volodymyr "Bob" Diachenko traced FortiBleed to a Russian-speaking cybercriminal group that accidentally exposed the stolen credentials, tools, and artifacts on one of its own servers. FortiBleed is a dump of VPN credentials pulled from the configuration files of roughly 74,000 Fortinet and FortiGate firewalls worldwide, with affected organizations including Oracle, Lenovo, FedEx, a NATO contractor, and Fortinet itself; attackers have already compiled verified working logins and compromised more than 30,000 devices across nearly 200 countries. Administrators should rotate VPN credentials and audit firewall configurations. - BleepingComputer: https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/ - Help Net Security: https://www.helpnetsecurity.com/2026/06/18/fortinet-fortibleed-data-leak/ - Ars Technica Security: https://arstechnica.com/security/2026/06/massive-breach-spills-credentials-for-thousands-of-sensitive-networks/ - Dark Reading: https://www.darkreading.com/cyberattacks-data-breaches/sweeping-credential-harvesting-heist-compromises-30k-fortinet-devices 2. SUPPLY-CHAIN ATTACKS POISON WORDPRESS AND NPM Vulnerabilities and Exploits · [supply-chain, wordpress, npm] Latest developments: Attackers hijacked ShapedPlugin's official update system to push infected WordPress plugin releases to paying customers, while Microsoft detailed a poisoned Mastra npm package that hid a postinstall payload across more than 140 projects. Attackers are subverting trusted software-distribution channels rather than breaching targets directly, sending tainted releases through legitimate vendor update flows and package registries; GitGuardian notes the same year already brought Megalodon's 5,500 backdoored GitHub repositories and the cross-registry TrapDoor campaign. Teams should audit dependencies and watch developer endpoints for harvested secrets. - BleepingComputer: https://www.bleepingcomputer.com/news/security/shapedplugin-update-flow-hacked-to-infect-wordpress-sites/ - Microsoft Security Blog: https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/ - Help Net Security: https://www.helpnetsecurity.com/2026/06/18/gitguardian-developer-endpoint-protection/ 3. VENDORS PATCH CRITICAL CISCO, ATLASSIAN, SPLUNK, AND APPLE FLAWS Vulnerabilities and Exploits · [patch, vulnerability] Latest developments: Cisco patched a critical command-execution flaw in Identity Services Engine that lets an attacker reach the underlying operating system and escalate to root, Atlassian and Splunk fixed critical bugs—Splunk an OS command injection in its AI Toolkit—and Apple closed a high-severity Beats Studio Buds Bluetooth flaw that let nearby attackers eavesdrop on conversations. A wave of out-of-band and scheduled fixes spans enterprise and consumer gear, with the Cisco ISE root-access bug the most dangerous of the set. Administrators should apply each vendor's update promptly, prioritizing the Cisco ISE patch. - SecurityWeek: https://www.securityweek.com/critical-command-execution-vulnerability-patched-in-cisco-ise/ - SecurityWeek: https://www.securityweek.com/atlassian-splunk-patch-critical-vulnerabilities/ - BleepingComputer: https://www.bleepingcomputer.com/news/security/apple-fixes-beats-studio-buds-flaw-that-let-hackers-spy-on-conversations/ 4. MALWARE TARGETS ANDROID BANKING AND ROBLOX GAMES Ransomware and Cybercrime · [malware, android, cybercrime] Latest developments: SecurityWeek detailed Rokarolla, an Android banking trojan that targets 200 applications to seize control of infected devices and harvest sensitive data, while Roblox developers told 404 Media that hackers now hijack entire games rather than steal in-game items. Financially motivated crews are moving toward consumer platforms with high payoff, draining mobile banking apps through device-takeover malware and commandeering Roblox games that earn creators millions through in-game purchases. Users should install apps only from vetted sources, and Roblox studios should harden account access. - SecurityWeek: https://www.securityweek.com/rokarolla-banking-trojan-targets-200-applications/ - Help Net Security: https://www.helpnetsecurity.com/2026/06/18/roblox-game-takeover-malware-attacks/ 5. EU EXTENDS CYBER DEFENSES TO UKRAINE AND 6G Policy and Regulation · [policy, eu] Latest developments: The European Union granted Ukraine access to its reserve of pre-approved cybersecurity incident-response firms as Kyiv moves toward formal accession, and launched Shield-6G to defend future 6G networks with AI threat detection, digital twins, and honeypots. Brussels is widening its collective cyber posture, folding Ukraine into the bloc's emergency-response pool and funding early research to secure next-generation 6G carrier networks. Both moves aim to position European defenders ahead of state-backed threats. - The Record: https://therecord.media/ukraine-access-eu-cybersecurity-reserve - Dark Reading: https://www.darkreading.com/cybersecurity-operations/eu-6g-network-security 6. TELEGRAM BAN LANDS IN INDIA'S COURTS Policy and Regulation · [policy, censorship] Latest developments: India told the Delhi High Court that it warned Telegram about two weeks before the block and that the platform admitted it could not proactively detect the channels selling leaked exam papers; Telegram says it cooperated and calls the ban unlawful. India blocked Telegram until June 22 after leaked exam papers spread on the app, and chief executive Pavel Durov accused telecom Reliance of BGP hijacking that knocked the service offline as far away as the United Arab Emirates. The dispute now turns on whether Telegram could have policed the channels. - BleepingComputer: https://www.bleepingcomputer.com/news/security/telegram-admits-it-couldnt-police-exam-leak-channels-india-tells-court/ - BleepingComputer: https://www.bleepingcomputer.com/news/security/indias-telegram-ban-hit-the-uae-too-heres-how-to-get-around-it/ BUSINESS AND POLITICS ---------------------------------------------------------------- * Bank of England Holds at 3.75%, Warns on Hormuz Latest developments: The Bank of England left its benchmark rate at 3.75% Thursday and signaled it may yet raise rates if the reopening of the Strait of Hormuz fails to unwind the energy-driven inflation the war touched off. The Bank of England's Monetary Policy Committee held UK interest rates at 3.75%, with a majority preferring to wait and watch even as the US-Iran deal pushed oil prices lower; the bank flagged a possible future increase to curb inflation stoked by the wartime closure of the Hormuz energy bottleneck. - FT: https://www.ft.com/content/be8397df-7c74-4eac-89cb-5936d7261b95 - WSJ: https://www.wsj.com/economy/central-banking/boe-leaves-rates-unchanged-signals-caution-on-hormuz-opening-f144dd3f PITTSBURGH ---------------------------------------------------------------- Weather: Today: Chance Rain Showers then Mostly Sunny, high 83F. Tonight: Partly Cloudy, low 59F. Juneteenth: Sunny, high 78F. Business: * U.S. Steel Under Nippon, One Year In Latest developments: The Post-Gazette examined how U.S. Steel's Mon Valley Works has changed in the year since Japan's Nippon Steel completed its acquisition. A year after Nippon Steel took over U.S. Steel, the Post-Gazette assessed the changes at the Mon Valley Works, the Pittsburgh-area steelmaking operations that sat at the center of the long-contested deal. - Pittsburgh Post-Gazette: https://www.post-gazette.com/business/career-workplace/2026/06/18/us-steel-nippon-mon-valley-works/stories/202606160056 * Independent Pharmacy Opens in Blairsville Latest developments: John Pastorek is opening an independent pharmacy in Blairsville, running against the national decline of neighborhood drugstores. John Pastorek, who learned the trade working alongside his mother at Freeport Pharmacy, plans to open an independent pharmacy in Blairsville, bucking the national trend of independent-pharmacy closures driven by chains and pharmacy-benefit managers. - TribLive: https://triblive.com/local/westmoreland/independent-pharmacy-bucking-national-trends-to-open-in-blairsville/ Around town: * Penn Township Bans E-Bikes in Municipal Park Latest developments: Penn Township commissioners voted Wednesday to ban e-bikes and e-scooters from the township's Municipal Park Complex. Penn Township's board of commissioners passed an ordinance prohibiting e-bicycles and e-scooters in the Municipal Park Complex, citing safety concerns for park visitors and riders alike; township manager Mary Perez announced the decision. - KDKA: https://www.cbsnews.com/pittsburgh/news/penn-township-votes-to-ban-e-bikes-e-scooters-in-municipal-park-complex/ * Leetsdale Fires Borough Manager Latest developments: Leetsdale officials fired the borough manager and hired an interim replacement. Leetsdale Borough, in the Sewickley area of Allegheny County, dismissed its borough manager and installed an interim replacement, the latest turnover atop the borough's administration. - TribLive: https://triblive.com/local/sewickley/leetsdale-officials-fire-borough-manager-hire-interim-replacement/ * Greensburg's Palace Theatre Renovated Latest developments: Renovations and upgrades are reviving Greensburg's 100-year-old Palace Theatre. The Palace Theatre, a century-old venue in downtown Greensburg, Westmoreland County, is undergoing renovations and equipment upgrades aimed at bringing new life to the historic stage. - TribLive: https://triblive.com/local/westmoreland/renovations-upgrades-bring-new-life-to-greensburgs-100-year-old-palace-theatre/ Events: * Juneteenth Across Pittsburgh Latest developments: Pittsburgh's Juneteenth festivities are underway, headlined by the unveiling of a historical marker honoring abolitionist George B. Vashon. CitiParks and community groups are staging Juneteenth events across Pittsburgh around the June 19 holiday—festivals, performances, films, and a turtle race—anchored by the unveiling of a historical marker honoring George B. Vashon, the 19th-century Black abolitionist and educator. - WTAE: https://www.wtae.com/article/pittsburgh-juneteenth-events-citiparks/71625249 - Pittsburgh Post-Gazette: https://www.post-gazette.com/life/recreation/2026/06/18/things-to-do-pittsburgh-this-weekend-3/stories/202606180018 SPORTS ---------------------------------------------------------------- Pirates (38-37) Wed Jun 17 · Pirates 12 · Athletics 4 · Final Ryan O'Hearn knocks in career-high 6 runs as Pirates roll to 12-4 victory over Athletics https://plaintextsports.com/mlb/2026-06-17/pit-ath Up Next · Pirates @ Rockies · Fri Jun 19, 8:40 PM https://plaintextsports.com/mlb/2026-06-19/pit-col Around the Teams: * Steelers Expected to Pass on Brendan Sorsby Latest developments: Steelers beat writers say Pittsburgh should and likely will avoid quarterback Brendan Sorsby in the NFL's supplemental draft. Quarterback Brendan Sorsby became eligible for the NFL's supplemental draft after a gambling matter; Post-Gazette writers, including Gerry Dulac, argued the Steelers are right to steer clear of him despite the team's longer-term questions at the position. - Pittsburgh Post-Gazette: https://www.post-gazette.com/sports/steelers/2026/06/16/sorsby-gambling-supplemental-draft-allar-howard/stories/202606160042 - Pittsburgh Post-Gazette: https://www.post-gazette.com/sports/steelers/2026/06/17/nfl-news-rumors-brendan-sorsby/stories/202606170039 READING ---------------------------------------------------------------- * Stratechery -- An Interview with Michael Morton About E-Commerce in the Age of AI Ben Thompson interviews Michael Morton on how AI reshapes e-commerce, weighing unfalsifiable bear cases, distribution versus referral models, grocery, and autonomous vehicles. https://stratechery.com/2026/an-interview-with-michael-morton-about-e-commerce-in-the-age-of-ai/ * Ed Zitron -- Exclusive: OpenAI Losses Increased Nearly 8X in 2025, With Spending Hitting $34 Billion Citing financial documents, Zitron reports OpenAI's losses grew nearly eightfold in 2025 as spending reached $34 billion, and argues the company has no clear path to profitability. https://www.wheresyoured.at/exclusive-openai-financials/ * Cal Newport -- AI Isn't Breaking Work. It's Already Broken. Responding to a Financial Times interview about a survey of 6,000 workers, Newport argues AI is exposing dysfunction that already existed in how knowledge work is organized rather than creating it. https://calnewport.com/ai-isnt-breaking-work-its-already-broken/ MARKETS (weekly average, change vs prior week) ---------------------------------------------------------------- S&P 500 7,462.30 ▲ +0.8% Dow 51,442.85 ▲ +1.3% Nasdaq 26,156.09 ▲ +1.1% WTI crude 81.24 ▼ -10.4% EUR/USD 1.1584 ▲ +0.2% GBP/USD 1.3414 ▲ +0.3% USD/JPY 160.25 ▲ +0.1% ================================================================ Generated 2026-06-18 09:05 EDT. Sources: 24 security feeds; 9 Pittsburgh feeds; 4 Pittsburgh arts and events feeds; 6 Pittsburgh sports beat and podcast feeds; the Wall Street Journal, the Economist, and the Financial Times; and Ed Zitron, Stratechery, Cal Newport. Markets from Yahoo Finance, weather from the NWS, scores from ESPN. Summaries are AI-generated from the linked reporting; verify at the sources. ================================================================