================================================================ INFOSECFOLLOW -- security, markets, business, pittsburgh Monday, June 22, 2026 - 9:05 PM EDT ================================================================ Freshly disclosed flaws in the AI agent platforms Dify and AutoGen Studio, alongside OpenAI's new cyber model, push the security of artificial intelligence to the center of the day. CONTENTS: Emerging Trends and Key Updates | Security | Business and Politics | Pittsburgh | Sports | Reading | Markets EMERGING TRENDS AND KEY UPDATES ---------------------------------------------------------------- * [TREND] Fresh flaws in agentic AI platforms—DifyTap leaking tenants' chats on Dify and AutoJack hijacking Microsoft's AutoGen Studio—show AI-agent shipping outrunning the teams securing them. see: DifyTap and AutoJack Expose AI Agent Platforms * [TREND] OpenAI's GPT-5.5-Cyber and Patch the Planet sharpen the fight with Anthropic's Mythos over whether hacking-capable models aid defenders, as Zitron renews his AI-bubble case. see: OpenAI's Patch the Planet Challenges Anthropic Mythos; Premium: The Silicon Valley Bubble (Part 2) * [TREND] Credential theft and malware keep industrializing as FortiBleed sniffers bank 86,000 FortiGate logins, WhatsApp VBScript lures install RMM agents, and backdoored ShapedPlugin releases ship through official channels. see: FortiBleed Sniffers Harvest FortiGate Credentials; WhatsApp VBScript Campaign Drops RMM Agent; ShapedPlugin WordPress Releases Backdoored * [UPDATE (new)] FFmpeg patched PixelSmash, a decoder flaw enabling remote code execution on Jellyfin and crashing Kodi, Emby, Nextcloud, and OBS Studio. see: FFmpeg PixelSmash Threatens Media Servers * [UPDATE (updated)] Washington temporarily lifted oil sanctions letting Iran sell crude in dollars, while Andy Burnham looks poised to succeed Starmer in Downing Street. see: U.S. Lets Iran Sell Oil in Dollars; Burnham Poised to Succeed Starmer * [UPDATE (new)] Around Pittsburgh, the city seeks developers for vacant Larimer lots, PRT relocated Waterfront bus stops, and PennDOT closes Commercial Street for a bridge-span test. see: Pittsburgh Seeks Larimer Developers; PRT Relocates Waterfront Bus Stops; Commercial Street Closes for Bridge Test SECURITY ---------------------------------------------------------------- 1. DIFYTAP AND AUTOJACK EXPOSE AI AGENT PLATFORMS AI Security · [ai, vulnerability] Latest developments: Zafran Security disclosed DifyTap, four vulnerabilities that let unauthenticated attackers read other tenants' AI conversations on the 146,000-star Dify platform, and Microsoft fixed AutoJack, a chain that turns a malicious webpage into arbitrary command execution inside its AutoGen Studio agent-prototyping interface. Dify and AutoGen Studio are open-source platforms for building and prototyping AI agents used across many organizations. Operators should apply the vendor patches immediately and audit for cross-tenant access. - The Hacker News: https://thehackernews.com/2026/06/researchers-detail-difytap-flaws-in.html - BleepingComputer: https://www.bleepingcomputer.com/news/security/microsoft-fixes-autogen-studio-flaw-that-enabled-code-execution/ 2. OPENAI'S PATCH THE PLANET CHALLENGES ANTHROPIC MYTHOS AI Security · [ai, policy] Latest developments: OpenAI unveiled an improved GPT-5.5-Cyber and a Patch the Planet initiative to fix open-source software bugs, directly challenging Anthropic's Mythos, while Aisle Chief Operating Officer and Chief Information Security Officer Jaya Baloo argued that gating cyber-capable models widens the gap for defenders who depend on the same tools. The dueling launches extend a running debate over whether hacking-capable AI models aid attackers or defenders more. Security teams weigh the identical capabilities for both offense and defense. - Wired Security: https://www.wired.com/story/openai-launches-full-scale-effort-to-patch-open-source-bugs-as-it-takes-on-anthropics-mythos/ - Help Net Security: https://www.helpnetsecurity.com/2026/06/22/jaya-baloo-aisle-gating-cyber-capable-ai-models/ 3. FORTIBLEED SNIFFERS HARVEST FORTIGATE CREDENTIALS Vulnerabilities and Exploits · [credential-theft, vulnerability] Latest developments: SOCRadar revealed that the campaign installs custom sniffers on compromised FortiGate firewalls to siphon authentication secrets, and Fortinet acknowledged the operation, confirming attackers built a database of more than 86,000 working credentials. FortiBleed targets internet-facing Fortinet FortiGate firewalls and VPN gateways worldwide. Administrators should rotate credentials, hunt for unauthorized sniffers, and harden exposed devices. - BleepingComputer: https://www.bleepingcomputer.com/news/security/fortibleed-campaign-used-custom-fortigate-sniffer-to-steal-credentials/ - SecurityWeek: https://www.securityweek.com/fortinet-responds-to-fortibleed-campaign/ 4. WHATSAPP VBSCRIPT CAMPAIGN DROPS RMM AGENT Ransomware and Cybercrime · [malware, phishing] Latest developments: Kaspersky's Securelist and BleepingComputer detailed a global campaign that pushes VBScript files through WhatsApp messages carrying fake business documents, running a multi-stage chain that installs a UEMS remote monitoring and management agent and hands attackers full system access. The campaign hits WhatsApp users across multiple countries with deceptive document lures. Recipients should distrust unsolicited attachments and block script execution. - BleepingComputer: https://www.bleepingcomputer.com/news/security/whatsapp-phishing-attack-uses-fake-business-docs-to-hack-pcs/ - Securelist (Kaspersky): https://securelist.com/whatsapp-vbs-rmm-campaign/120290/ 5. SHAPEDPLUGIN WORDPRESS RELEASES BACKDOORED Vulnerabilities and Exploits · [supply-chain, wordpress, backdoor] Latest developments: Wordfence found that attackers compromised ShapedPlugin's build and distribution pipeline, injecting backdoor code into Pro plugin releases shipped through the vendor's official licensed WordPress update channels. ShapedPlugin sells premium WordPress plugins whose paying customers received tampered updates. Site owners running its Pro products should audit installations and restore clean releases. - The Hacker News: https://thehackernews.com/2026/06/shapedplugin-wordpress-pro-plugins.html 6. FFMPEG PIXELSMASH THREATENS MEDIA SERVERS Vulnerabilities and Exploits · [vulnerability, patch] Latest developments: FFmpeg patched PixelSmash, a video-decoder flaw that enables remote code execution on Jellyfin media servers under certain conditions and triggers denial-of-service crashes in Kodi, Emby, Nextcloud, PhotoPrism, and OBS Studio. FFmpeg underpins video decoding in countless applications. Operators of the affected media software should update to the patched build at once. - BleepingComputer: https://www.bleepingcomputer.com/news/security/ffmpeg-fixes-pixelsmash-flaw-in-widely-used-video-decoder/ BUSINESS AND POLITICS ---------------------------------------------------------------- * Burnham Poised to Succeed Starmer Latest developments: Andy Burnham, the outgoing Greater Manchester mayor, now has a clear path into Downing Street within weeks, and former health secretary Wes Streeting emerged as the frontrunner for chancellor. Keir Starmer resigned as UK prime minister and Labour leader Monday after Manchester mayor Andy Burnham signaled he would challenge him; Burnham gears up for civil-service talks as Britain's long two-party order frays. - FT World: https://www.ft.com/content/71001d5b-4567-4ac3-b4ec-355fa89efaf6 - FT World: https://www.ft.com/content/f5cc1126-9de5-4597-b043-c74bed7573cb * U.S. Lets Iran Sell Oil in Dollars Latest developments: Washington temporarily dismantled its oil sanctions on Tehran, clearing Iran to sell crude in dollars for the first time in decades and repatriate the profits, and oil prices fell. Under the interim accord worked out in Switzerland, the United States let Iran export oil settled in dollars and waived related banking sanctions; crude futures dropped and Treasury yields rose as ships resumed crossing the Strait of Hormuz. - WSJ World News: https://www.wsj.com/world/middle-east/vance-says-iran-agreed-to-allow-nuclear-inspectors-back-in-209db17c - WSJ Markets: https://www.wsj.com/finance/stocks/oil-prices-drop-after-iran-cleared-to-sell-crude-in-dollars-48285693?mod=rss_markets_main PITTSBURGH ---------------------------------------------------------------- Weather: Tonight: Isolated Rain Showers, low 59F. Tuesday: Mostly Sunny, high 79F. Tuesday Night: Mostly Clear, low 54F. Business: * Ex-Primanti Bros. Chief Buys Smoothie King Stores Latest developments: The former chief executive of Pittsburgh's Primanti Bros. acquired two Smoothie King locations in western Pennsylvania as his next venture. The onetime head of the Primanti Bros. sandwich chain bought a pair of Smoothie King franchises in western Pennsylvania, moving from a Pittsburgh staple into the smoothie business. - WTAE: https://www.wtae.com/article/former-primanti-bros-ceo-western-pa-smoothie-king/71668064 * Hempfield's Menards Plan Lapses Latest developments: Hempfield supervisors acknowledged that the 2020 site plan for a proposed Menards home-improvement store expired, and the township now wants to reallocate state grant money set aside for nearby traffic work. Hempfield Township in Westmoreland County conceded the Menards big-box project tied to its road-improvement grant has stalled, so officials will redirect the state funding to other traffic upgrades. - TribLive: https://triblive.com/local/westmoreland/hempfield-eyes-grant-reallocation-after-acknowledging-menards-site-plan-expired/ * Sharon Regional Owes Wage Taxes Latest developments: A lawsuit alleges Sharon Regional owes millions of dollars in wage taxes it withheld from employee paychecks. Sharon Regional, the Mercer County hospital system, faces a suit claiming it failed to remit millions in local wage taxes it deducted from workers' pay. - Pittsburgh Post-Gazette: https://www.post-gazette.com/news/crime-courts/2026/06/22/sharon-regional-wage-tax-lawsuit/stories/202606220046 Around town: * Commercial Street Closes for Bridge Test Latest developments: PennDOT will close Commercial Street on Thursday, June 26, to test the system that will move the new span into place near Frick Park. As part of the Commercial Street Bridge replacement beneath the Parkway East, crews will shut Commercial Street Thursday to trial the bridge-moving rig before the actual slide-in. - Pittsburgh Post-Gazette: https://www.post-gazette.com/news/2026/06/22/commercial-street-bridge-test-move-temporary-closure-frick-park/stories/202606220045 * PRT Relocates Waterfront Bus Stops Latest developments: Pittsburgh Regional Transit moved and repurposed two of its bus stops at the Waterfront shopping mall in Homestead, ending a dispute with the mall's owners over safety. PRT reworked two Waterfront bus stops in Homestead, closing out a standoff with the shopping center's ownership about rider and pedestrian safety at the stops. - TribLive: https://triblive.com/local/prt-overhauls-waterfront-bus-stops-following-malls-safety-concerns/ * Pittsburgh Seeks Larimer Developers Latest developments: The City of Pittsburgh and the Urban Redevelopment Authority are soliciting developers to build housing on dozens of vacant Larimer properties. Pittsburgh and the URA opened a coordinated search for developers to redevelop dozens of empty lots across the Larimer neighborhood into new housing. - WPXI: https://www.wpxi.com/news/local/pittsburgh-officials-seeking-developers-revitalize-vacant-properties-larimer/EDABT3QZUBHKZIV6GHXA6QBMHE/ SPORTS ---------------------------------------------------------------- Pirates (39-39) Sun Jun 21 · Pirates 8 · Rockies 6 · Final Gonzalez and Reynolds homer as the Pirates hold off the Rockies 8-6 https://plaintextsports.com/mlb/2026-06-21/pit-col Up Next · Mariners @ Pirates · Tue Jun 23, 6:40 PM https://plaintextsports.com/mlb/2026-06-23/sea-pit Around the Teams: * Pirates Return Home Facing Three Questions Latest developments: A Post-Gazette analysis framed the Pirates' return to PNC Park around O'Neil Cruz's form, prospect Konnor Griffin's timeline, and Jared Jones's elbow. Back from a mediocre road trip, the Pirates confront three issues per the Post-Gazette: O'Neil Cruz's production, when top prospect Konnor Griffin arrives, and the health of starter Jared Jones, who took a line drive off his surgically repaired pitching elbow Sunday. - Post-Gazette Pirates: https://www.post-gazette.com/sports/pirates/2026/06/22/mlb-trade-news-oneil-cruz-konnor-griffin-jared-jones/stories/202606220019 * SNR Drive on Aaron Rodgers' 2026 Outlook Latest developments: On the June 22 SNR Drive, Matt Williamson and Wes Uhler discussed how quarterback Aaron Rodgers could build on his 2025 season with the Steelers. The Steelers' SNR Drive show, hosted by Matt Williamson and Wes Uhler, broke down where Aaron Rodgers could improve in 2026 after his 2025 campaign leading the Pittsburgh offense. - Pittsburgh Steelers (YouTube): https://www.youtube.com/shorts/lInetmJyojY Team USA: * Pulisic Back in USMNT Training Latest developments: Christian Pulisic returned to full U.S. training Monday, June 22, his first session since June 11, recovered from the left calf injury that kept him out against Australia. Captain Christian Pulisic rejoined U.S. men's national team practice in Irvine, California, healed from the calf strain that sidelined him for the group win over Australia; the United States has clinched a knockout spot and closes Group D against Türkiye. - ESPN Soccer: https://www.espn.com/soccer/story/_/id/49145667/usmnt-riding-good-vibes-christian-pulisic-back-training * Huff, James Lead USA Hoops Qualifying Roster Latest developments: USA Basketball named a 12-man World Cup qualifying team led by Pacers center Jay Huff and overseas veteran Mike James for games in early July. USA Basketball announced its World Cup qualifying roster Tuesday, with Jay Huff, who appeared in all 82 games for the Indiana Pacers this past season, and longtime international standout Mike James among the dozen players bound for July fixtures. - ESPN Olympics: https://www.espn.com/olympics/basketball/story/_/id/49146603/huff-james-headline-usa-hoops-roster-world-cup-qualifiers * Zendejas Awaits His World Cup Debut Latest developments: Alex Zendejas, the dual-national winger and surprise pick on Mauricio Pochettino's roster, has yet to play and could debut in the dead-rubber Group D finale against Türkiye. Club América's Alex Zendejas, 28, who chose the United States over his birthplace of Mexico, watched the group-clinching wins over Paraguay and Australia from the bench; the U.S. men's final group match against Türkiye could give him his first World Cup minutes. - Guardian World Cup 2026: https://www.theguardian.com/football/2026/jun/22/usmnt-alex-zendejas-world-cup READING ---------------------------------------------------------------- * Cal Newport -- Dear AI Companies: Stop the "Doom Trolling" Newport argues that AI companies erode trust when they publish alarmist warnings about the dangers of their own products, a marketing reflex he compares to a carmaker fretting publicly over its bestselling truck. https://calnewport.com/dear-ai-companies-stop-the-doom-trolling/ * Stratechery -- Apple Price Increases, Apple Intelligence and the E.U. Ben Thompson examines Apple's move to finally raise prices while declining to ship its Apple Intelligence Siri features in the European Union, tying both to the bloc's regulatory pressure. https://stratechery.com/2026/apple-price-increases-apple-intelligence-and-the-e-u/ * Ed Zitron -- Premium: The Silicon Valley Bubble (Part 2) Zitron extends his argument that the AI boom is a bubble, building on his reporting that OpenAI spent $34 billion to generate roughly $13 billion in revenue. https://www.wheresyoured.at/premium-the-silicon-valley-bubble-part-2/ MARKETS (weekly average, change vs prior week) ---------------------------------------------------------------- S&P 500 7,491.82 ▲ +1.6% Dow 51,688.13 ▲ +1.9% Nasdaq 26,353.29 ▲ +2.6% WTI crude 79.01 ▼ -11.8% EUR/USD 1.1527 ▼ -0.3% GBP/USD 1.3311 ▼ -0.6% USD/JPY 160.79 ▲ +0.3% ================================================================ Generated 2026-06-22 21:05 EDT. Sources: 24 security feeds; 9 Pittsburgh feeds; 4 Pittsburgh arts and events feeds; 6 Pittsburgh sports beat and podcast feeds; 4 Team USA feeds; the Wall Street Journal, the Economist, and the Financial Times; and Ed Zitron, Stratechery, Cal Newport. Markets from Yahoo Finance, weather from the NWS, scores from ESPN. Summaries are AI-generated from the linked reporting; verify at the sources. ================================================================