daily plain-text briefing: security, markets, business, and pittsburgh
Critical patches for Splunk, Cisco, and NGINX collided with the FortiBleed leak of VPN credentials for nearly 74,000 Fortinet firewalls, leaving enterprise edge and identity gear the day's main battleground.
Latest developments: CISA added Splunk Enterprise missing-authentication flaw CVE-2026-20253 to its known exploited catalog, Cisco patched a critical input-validation bug in Identity Services Engine that hands attackers root, and F5 detailed two critical NGINX Open Source flaws led by use-after-free CVE-2026-42530 at CVSS 9.2.
Splunk Enterprise, Cisco ISE, and NGINX Open Source all sit at the core of enterprise networks, and the flaws let unauthenticated attackers bypass authentication, gain root, or execute code, so administrators should apply the vendor fixes now. Atlassian and Splunk also shipped fixes for dozens of additional dependency and AI Toolkit bugs the same day.
Sources: CISA Advisories · SecurityWeek · The Hacker News · SecurityWeek · ↑ top
Latest developments: Human Rights Watch found Bulgaria licensed spyware firm Circles to sell to repressive regimes from 2018 through 2023, the UK Home Office advanced facial age estimation for asylum seekers despite its own tests flagging life-altering errors, and Google said it will use UK and EU IP addresses for ad personalization starting August 3, 2026.
The cases span spyware export controls, biometric surveillance of vulnerable migrants, and online ad tracking, each testing how far governments and platforms can push surveillance against privacy safeguards.
Sources: The Record · Wired Security · BleepingComputer · ↑ top
Latest developments: BleepingComputer and Help Net Security put the haul at 73,932 firewall URLs worldwide and traced it to a Russian-speaking group that accidentally exposed the stolen configuration files on its own server, where researcher Volodymyr "Bob" Diachenko found them.
The leaked configuration files hand attackers working VPN and firewall credentials at organizations across the globe. Affected operators should rotate every credential and force password resets immediately.
Sources: BleepingComputer · Help Net Security · ↑ top
Latest developments: Attackers hijacked ShapedPlugin's official WordPress update system to push infected plugin releases to paying customers, while Microsoft detailed a poisoned Mastra npm package whose postinstall payload reached more than 140 projects.
Both attacks subvert trusted distribution—WordPress plugin updates and the npm registry—to plant malware in downstream projects. Teams should audit recent ShapedPlugin and Mastra installs and pin dependency versions.
Sources: BleepingComputer · Microsoft Security Blog · ↑ top
Latest developments: Klue's Battlecards became the third integrated application abused to steal Salesforce CRM data, and the victim roster now includes security vendor Huntress.
The Icarus threat actors run an extortion campaign that pivots through compromised Salesforce-connected apps to siphon CRM data. Companies using Battlecards should revoke OAuth tokens and review Salesforce access logs.
Sources: Dark Reading · BleepingComputer · ↑ top
Latest developments: Researchers from multiple firms linked the four-year-old Popa Android botnet—millions of consumer TV boxes relaying traffic for ad fraud, account takeovers, and mass scraping—to NetNut, the residential-proxy arm of NASDAQ-listed Alarum Technologies.
Popa conscripts Android-based TV boxes into a residential proxy network that Alarum sells commercially, letting paying customers route abusive traffic through unwitting consumers' homes. The tie raises hard questions for a publicly traded company.
Sources: Krebs on Security · ↑ top
Latest developments: The Bank of England's Monetary Policy Committee left its benchmark rate at 3.75% Thursday and trimmed its inflation forecast, though it warned it may yet raise rates if reopening the Strait of Hormuz revives energy-driven price pressure.
The Bank of England kept its key rate unchanged, crediting the US-Iran deal that pushed oil lower and eased British inflation risk; the pound fell after the bank cut its inflation outlook.
Sources: FT World · WSJ World News · ↑ top
Latest developments: The Financial Times reported the interim accord releases $6 billion of Iranian money held in Qatar, paid out in phases to buy American goods, the first concrete figure attached to Trump's pledge to unfreeze Tehran's assets.
Under the US-Iran deal signed at the G7, Washington will free $6 billion of Iranian funds held in Qatar in stages for purchases of US goods while easing banking and transport sanctions; Trump acknowledged Tehran will keep its ballistic missiles.
Sources: FT World · FT World · ↑ top
This Afternoon: Mostly Sunny, high 82F.
Tonight: Mostly Cloudy, low 58F.
Juneteenth: Mostly Sunny, high 78F.
Latest developments: Eos Energy Enterprises began production Thursday at its second manufacturing facility in Marshall Township, delivering on a commitment it made when it announced its headquarters move to the Pittsburgh area.
Eos Energy Enterprises started output at a second plant in Marshall Township, north of Pittsburgh, expanding its battery-manufacturing footprint in Allegheny County.
Latest developments: The Post-Gazette reported that 610 Smithfield Street, a historic downtown Pittsburgh building, has a new owner who may convert it to housing.
A historic building at 610 Smithfield Street downtown changed hands, with the new owner weighing a residential conversion in a deal involving broker Herky Pollock and Legacy Realty.
Sources: Pittsburgh Post-Gazette · ↑ top
Latest developments: Washington County will collect nearly twice as much as last year from Pennsylvania's natural-gas impact fee and again leads all counties, WPXI reported.
Washington County will receive the largest county share of Pennsylvania's impact fee on natural-gas production, almost double its prior haul, a measure of heavy Marcellus Shale drilling in the state's southwestern corner.
Latest developments: With measles cases spiking, Pennsylvania lawmakers are moving to narrow the exemptions that let families skip required school vaccinations, the Post-Gazette reported.
Legislators in Harrisburg are pushing to tighten the exemptions Pennsylvania parents can claim to avoid mandatory school immunizations as measles cases rise across the state.
Sources: Pittsburgh Post-Gazette · ↑ top
Latest developments: Randy Cordova-Flores, the Springdale resident local police handed to ICE after a February traffic stop, returned home after four months in federal detention.
Randy Cordova-Flores, a Peru-born Springdale resident whom local police turned over to ICE following a February traffic stop, is back with his children, though he worries for those still held at the facility where he spent four months.
Sources: TribLive · PublicSource · ↑ top
Latest developments: The Kiski Area School District's 2026-27 budget raises property taxes 3.2% for its Westmoreland County residents and cuts them 5.5% for its Armstrong County residents.
The Kiski Area School District approved a budget lifting Westmoreland County property taxes by 3.2% while lowering Armstrong County rates by 5.5% for the coming school year.
Latest developments: The four-day Western Pennsylvania Juneteenth and Black Music Celebration opened June 18 and runs through Sunday, June 21, across Point State Park, Market Square, and Liberty Avenue.
Stop the Violence Pittsburgh presents the Western Pennsylvania Juneteenth and Black Music Celebration, billed as North America's largest Juneteenth festival, Thursday through Sunday, June 18-21, 2026, from 11 a.m. to 10 p.m. at Point State Park, Market Square, and along Liberty Avenue, marking the 161st anniversary of emancipation.
Sources: NEXTpittsburgh Events · ↑ top
Pirates (38-37)
Wed Jun 17 · Pirates 12 · Athletics 4 · Final
Ryan O'Hearn knocks in career-high 6 runs as Pirates roll to 12-4 victory over Athletics
Up Next · Pirates @ Rockies · Fri Jun 19, 8:40 PM
Latest developments: The Post-Gazette reported the Steelers are unlikely to bid for quarterback Brendan Sorsby in the NFL's supplemental draft, citing his gambling history.
Post-Gazette beat writers expect Pittsburgh to stay out of the supplemental draft for quarterback Brendan Sorsby, weighing his gambling baggage against an already crowded quarterback room under coach Mike McCarthy.
Sources: Post-Gazette Steelers · ↑ top
Latest developments: On the June 17 SNR Drive, Matt Williamson and Wes Uhler assembled an all-time roster of Steelers who never reached the Hall of Fame and broke down running back Jaylen Warren's game.
The Steelers' SNR Drive podcast, hosted by Matt Williamson and Wes Uhler, picked an all-time offense and defense of non-Hall-of-Fame Steelers and analyzed back Jaylen Warren.
Sources: Pittsburgh Steelers (YouTube) · ↑ top
Latest developments: The Post-Gazette detailed how a 4.32-second 40-yard dash at the combine reshaped the NFL trajectory of Steelers rookie safety Robert Spears-Jennings.
A Post-Gazette feature traced how Steelers rookie safety Robert Spears-Jennings turned a 4.32-second 40-yard dash into a higher draft selection.
Sources: Post-Gazette Steelers · ↑ top
S&P 500 7,462.30 ▲ +0.8% Dow 51,442.85 ▲ +1.3% Nasdaq 26,156.09 ▲ +1.1% WTI crude 81.24 ▼ -10.4% EUR/USD 1.1584 ▲ +0.2% GBP/USD 1.3414 ▲ +0.3% USD/JPY 160.25 ▲ +0.1%