daily plain-text briefing: security, markets, business, and pittsburgh
Russian-speaking attackers have compromised credentials on 86,644 internet-facing Fortinet firewalls and VPNs as CISA urges every FortiGate operator to lock down.
Latest developments: CISA urged every FortiGate operator to secure devices after the FortiBleed campaign, pinned on Russian-speaking actors, compromised credentials on 86,644 internet-facing Fortinet firewalls and VPN gateways, roughly half the appliances reachable online.
FortiBleed is a large-scale credential-theft campaign exposing login data for tens of thousands of Fortinet FortiGate firewalls and VPN gateways across government and private organizations. Operators should rotate all credentials, pull management interfaces off the internet, and hunt their devices for unauthorized access.
Sources: The Hacker News · SecurityWeek · BleepingComputer · ↑ top
Latest developments: Microsoft researchers disclosed AutoJack, an exploit chain in which a single malicious web page steers an AI browsing agent into reaching a privileged localhost service, AutoGen Studio's MCP WebSocket, and spawning a process on the host with no credentials and no further user interaction.
AutoJack abuses an AI browsing agent's trust in localhost, missing authentication, and unsafe parameter handling to turn ordinary web content into host remote code execution. Teams running agentic AI should isolate local services and require authentication on MCP endpoints.
Sources: The Hacker News · Microsoft Security Blog · ↑ top
Latest developments: Cisco announced it will acquire WideField Security to extend Splunk's agentic SOC into identity, credentials, sessions, and blast radius, the same week Help Net Security pegged Accenture's purchase of a majority stake in Dragos plus all of runZero and NetRise at $4.2 billion.
Two large vendors are consolidating defensive tooling: Accenture is assembling end-to-end operational-technology security across Dragos, runZero, and NetRise, and Cisco is buying WideField to broaden Splunk threat investigation. The deals concentrate OT and SOC capability under fewer providers.
Sources: Help Net Security · SecurityWeek · ↑ top
Latest developments: Threat actors began exploiting CVE-2026-4020, a CVSS 5.3 unauthenticated information-disclosure flaw in the Gravity SMTP WordPress plugin installed on about 100,000 sites, to pull configuration data including API keys, secrets, and OAuth tokens.
Gravity SMTP, a WordPress mail-delivery plugin, leaks sensitive configuration to unauthenticated attackers, handing them keys and tokens for connected services. Site owners should install the patched release at once and rotate every exposed secret.
Sources: BleepingComputer · ↑ top
Latest developments: The Federal Trade Commission reported that imposter scams, in which fraudsters pose as a victim's bank, a government agency, or a local planning office, drained $3.5 billion from Americans in 2025, and the losses keep climbing.
Imposter scams impersonate trusted institutions to trick people into sending money or credentials, and they now rank among the costliest consumer frauds in the United States. Consumers should verify any urgent payment or account request through an independently known phone number.
Sources: Graham Cluley · ↑ top
Latest developments: Dark Reading traced the Novo Nordisk breach to a single leaked GitHub token, framing the failure as an identity problem at heart and exposing how software-development pipelines widen the attack surface.
A leaked GitHub token gave attackers a path into Novo Nordisk's development environment, showing that machine credentials and secrets are themselves identities. Organizations should scope, rotate, and monitor secrets the way they govern human accounts.
Sources: Dark Reading · ↑ top
Latest developments: Iran declared the Strait of Hormuz closed again Saturday over Israel's strikes in Lebanon, after ships had begun transiting under the interim accord; Israel and Hezbollah then agreed to a renewed ceasefire, the postponed U.S.-Iran talks were set back on for Sunday in Switzerland, and Trump warned he could levy U.S. tolls on Strait traffic absent a final deal within 60 days.
Iran's joint military command said it shut the Strait of Hormuz, the chokepoint for roughly a fifth of the world's seaborne oil, citing Israeli attacks in Lebanon, undercutting the interim deal Washington and Tehran signed days earlier; negotiators still head to Switzerland for talks meant to reach a final agreement within 60 days.
Sources: WSJ · WSJ · WSJ · ↑ top
This Afternoon: Chance Showers And Thunderstorms, high 80F.
Tonight: Chance Showers And Thunderstorms then Mostly Clear, low 58F.
Sunday: Mostly Sunny, high 81F.
Latest developments: Penn State president Neeli Bendapudi, Temple president John Fry, and Pitt chancellor Joan Gabel jointly urged the legislature to fund Pennsylvania's new performance-based higher-education model before the June 30 budget deadline.
Pennsylvania's three state-related universities—Penn State, Temple, and the University of Pittsburgh—want lawmakers to bankroll a new performance-based funding formula this year, arguing the commonwealth's workforce, economy, and long-term competitiveness hinge on it as the June 30, 2026, budget deadline nears.
Latest developments: The University of Pittsburgh and West Virginia University will meet in a Backyard Basketball Classic, with ticket information and game times due later this summer.
Pitt and West Virginia will revive their Backyard Brawl rivalry on the hardwood in a Backyard Basketball Classic; organizers plan to announce dates, tip times, and ticket details later this summer.
Latest developments: Sign-ups opened for the Dillcathalon Games, the pickle-themed competition returning to Pittsburgh's downtown Picklesburgh festival.
The Dillcathalon Games, a slate of fan-favorite pickle-themed contests, will return to Picklesburgh, the downtown Pittsburgh food festival, and organizers are now taking competitor sign-ups.
Pirates (38-38)
Fri Jun 19 · Pirates 3 · Rockies 4 · Final
Fulford's pinch 2-run double in 8th lifts Rockies past Pirates 4-3, Freeland reaches 1,000 Ks
Up Next · Pirates @ Rockies · Sat Jun 20, 9:10 PM
Latest developments: A Post-Gazette mailbag laid out the Pirates' catching plan following the Joey Bart trade, pointing to Henry Davis behind the plate and weighing whether designated hitter Marcell Ozuna returns.
After dealing catcher Joey Bart to the Atlanta Braves for reliever Hunter Stratton, the Pittsburgh Pirates lean on Henry Davis at catcher, the Post-Gazette reported, as readers asked whether Marcell Ozuna stays with the club.
Sources: Post-Gazette · ↑ top
Latest developments: A Post-Gazette feature detailed how Steelers rookie safety Robert Spears-Jennings reshaped his draft stock with a 4.32-second 40-yard dash at the scouting combine.
Pittsburgh Steelers rookie safety Robert Spears-Jennings vaulted up draft boards after running the 40-yard dash in 4.32 seconds at the NFL combine, the Post-Gazette reported in a look at how the time changed his trajectory.
Sources: Post-Gazette · ↑ top
Latest developments: Right back Alex Freeman scored in the United States' 2-0 win over Australia in Seattle, a goal sharpened by family symmetry: his father, former Green Bay Packers receiver Antonio Freeman, once starred at the same venue.
Defender Alex Freeman scored as the United States men's national team beat Australia 2-0 in Seattle on Friday, June 19, securing the top spot in World Cup Group D and a place in the round of 32; his father, Antonio Freeman, played receiver for the Packers at that stadium.
S&P 500 7,483.56 ▲ +1.6% Dow 51,586.04 ▲ +1.8% Nasdaq 26,297.74 ▲ +2.5% WTI crude 77.35 ▼ -12.5% EUR/USD 1.1528 ▼ -0.2% GBP/USD 1.3359 = -0.0% USD/JPY 160.50 ▲ +0.1%