================================================================ INFOSECFOLLOW -- security, markets, business, pittsburgh Friday, June 26, 2026 - 9:06 AM EDT ================================================================ JFrog's public DirtyClone exploit hands local Linux users root the same week the Linux Foundation launches Akrites, as AI keeps shrinking the window between vulnerability disclosure and attack. CONTENTS: Emerging Trends and Key Updates | Security | Business and Politics | Pittsburgh | Sports | Reading | Markets EMERGING TRENDS AND KEY UPDATES ---------------------------------------------------------------- * [TREND] Software supply-chain attackers extend the Miasma lineage into the LeoPlatform and RStreams npm packages, GitHub Actions, and the Go ecosystem. see: Miasma Spreads to npm, GitHub Actions, and Go * [TREND] AI keeps shrinking the gap between disclosure and exploit, the premise behind the Linux Foundation's Akrites patching initiative and JFrog's same-week DirtyClone kernel root exploit. see: Linux Foundation Launches Akrites; DirtyClone Linux Kernel Root Exploit * [TREND] Enterprises rushing autonomous AI agents face an identity-governance gap, prompting Proof's x401 verification protocol and a Model Context Protocol overhaul that pushes security onto developers. see: AI Agents Strain Identity Governance * [UPDATE (new)] Synology shipped critical MailPlus Server fixes led by CVE-2026-13136, an authorization flaw letting remote attackers read or write arbitrary files. see: Synology Patches Critical MailPlus Server Flaws * [UPDATE (new)] The FCC voted to tighten undersea cable protections and signaled mandatory licensing for submarine line terminal equipment owners. see: FCC Tightens Undersea Cable Rules * [UPDATE (new)] Allegheny County committed up to $18 million to rebuild the Tree of Life site in Squirrel Hill as a remembrance and education center. see: County Commits $18M to Tree of Life Rebuild SECURITY ---------------------------------------------------------------- 1. AI AGENTS STRAIN IDENTITY GOVERNANCE AI Security · [ai, identity, governance] Latest developments: Proof launched x401, an issuer-neutral protocol that lets a website or API verify the identity and authorization behind an AI agent, the same day a major Model Context Protocol overhaul shifted critical security responsibilities onto developers and platform operators. Autonomous AI agents inherit human permissions and act at machine speed with minimal oversight, widening a governance gap that legacy identity infrastructure never anticipated; controls like x401 and guardian-agent layers aim to authenticate and constrain them. - Help Net Security: https://www.helpnetsecurity.com/2026/06/26/proofs-x401-establishes-an-open-protocol-for-ai-agent-identity-and-authorization/ - The Hacker News: https://thehackernews.com/2026/06/guardian-agents-next-layer-of-identity.html - SecurityWeek: https://www.securityweek.com/new-enterprise-ready-mcp-specification-brings-new-security-challenges/ 2. LINUX FOUNDATION LAUNCHES AKRITES Software Supply Chain Security · [open-source, disclosure, policy] Latest developments: The Linux Foundation unveiled Akrites, an industry initiative uniting technology companies, financial institutions, security vendors, and AI firms to coordinate remediation and disclosure of vulnerabilities in widely used open-source software. Akrites responds to AI shrinking the time between flaw discovery and exploitation by giving critical open-source projects shared tools and channels to report, patch, and disclose vulnerabilities. - Help Net Security: https://www.helpnetsecurity.com/2026/06/26/akrites-open-source-security-framework/ - SecurityWeek: https://www.securityweek.com/linux-foundation-unveils-new-open-source-security-project-akrites/ 3. DIRTYCLONE LINUX KERNEL ROOT EXPLOIT Vulnerabilities and Exploits · [privilege-escalation, linux, exploit] Latest developments: JFrog Security Research published a working exploit walkthrough for DirtyClone on June 25, the first public demonstration of this DirtyFrag-family variant. DirtyClone, tracked as CVE-2026-43503 with a CVSS score of 8.8, lets a local user corrupt file-backed memory through a cloned network packet and escalate to root on Linux systems; administrators should apply the upstream kernel patch. - The Hacker News: https://thehackernews.com/2026/06/new-dirtyclone-linux-kernel-flaw-lets.html 4. SYNOLOGY PATCHES CRITICAL MAILPLUS SERVER FLAWS Vulnerabilities and Exploits · [patch, vulnerability] Latest developments: Synology issued a critical fix for three MailPlus Server flaws, led by CVE-2026-13136, a faulty authorization check that lets remote attackers read or write arbitrary files and trigger denial-of-service, alongside CVE-2026-13135. MailPlus Server runs private email infrastructure on Synology NAS devices; owners should install the security update promptly to block remote file access and DoS conditions. - Help Net Security: https://www.helpnetsecurity.com/2026/06/26/synology-mailplus-server-vulnerabilities/ 5. MIASMA SPREADS TO NPM, GITHUB ACTIONS, AND GO Software Supply Chain Security · [supply-chain, npm, malware] Latest developments: The latest wave delivers malicious npm releases in the LeoPlatform and RStreams packages, abuses GitHub Actions workflows, and propagates into the Go ecosystem. Miasma belongs to the self-replicating Mini Shai-Hulud and Hades malware family that hijacks developer packages to steal secrets and spread; teams pinning npm and Go dependencies and auditing GitHub Actions workflows can limit exposure. - The Hacker News: https://thehackernews.com/2026/06/miasma-malware-targets-npm-packages-and.html 6. FCC TIGHTENS UNDERSEA CABLE RULES Policy and Regulation · [policy, infrastructure] Latest developments: The FCC voted to toughen rules protecting undersea cables and said it plans to mandate licensing for owners and operators of submarine line terminal equipment. Submarine cables carry most international internet traffic and face espionage and sabotage risk; the FCC's licensing mandate would extend federal oversight to the SLTE gear that lands those cables. - The Record: https://therecord.media/fcc-votes-to-toughen-rules-undersea-cables BUSINESS AND POLITICS ---------------------------------------------------------------- * Venezuela Races to Restructure Debt After Quakes Latest developments: Two powerful earthquakes struck northern Venezuela this week, and the U.S.-backed government is now pressing bondholders for a fast debt restructuring even as some creditors urge it to slow down. Back-to-back earthquakes near Caracas pushed Venezuela into a national state of emergency, straining an economy already in sovereign default, and the government now wants a quick deal with bondholders while some warn against rushing a restructuring of the country's tens of billions in defaulted debt. - FT Markets: https://www.ft.com/content/85178ab9-978a-4e4e-b494-c4936f2445e3 - WSJ World News: https://www.wsj.com/world/americas/venezuela-earthquakes-caracas-aftershocks-8e8bf961 PITTSBURGH ---------------------------------------------------------------- Weather: Today: Mostly Cloudy, high 81F. Tonight: Showers And Thunderstorms, low 64F. Saturday: Showers And Thunderstorms Likely then Slight Chance Showers And Thunderstorms, high 80F. Business: * Ex-Worker Charged in Ventec Refrigeration Theft Latest developments: The Allegheny County District Attorney announced June 26 charges against a former Ventec Refrigeration employee accused of stealing nearly $300,000 from the Penn Hills company. Ashley Apperson, 34, of Leechburg, who worked roughly four years at Ventec Refrigeration in Penn Hills, faces multiple charges after county detectives say she took close to $300,000 from the firm. - KDKA: https://www.cbsnews.com/pittsburgh/news/woman-accused-theft-30000-dollars-penn-hills-refrigeration-company/ * Eco-Soap Bank's Global Reach From Pittsburgh Latest developments: Pittsburgh City Paper profiled June 26 how the Pittsburgh-based Eco-Soap Bank turns manufacturing soap waste into bars for people who lack them worldwide. The Eco-Soap Bank, a Pittsburgh nonprofit, collects scrap and surplus soap from manufacturers, reprocesses it, and distributes bars to communities in need across the globe. - Pittsburgh City Paper: https://www.pghcitypaper.com/news-2/health/from-pittsburgh-the-eco-soap-bank-has-used-scrap-soap-to-make-a-global-splash/ Around town: * County Commits $18M to Tree of Life Rebuild Latest developments: Allegheny County authorized up to $18 million on June 26 toward redeveloping the Tree of Life site in Squirrel Hill into a remembrance and education center. Allegheny County approved as much as $18 million to help rebuild the Tree of Life site in Squirrel Hill into a place of remembrance, education, and community programming, the largest public commitment yet to the long-planned project. - WPXI: https://www.wpxi.com/news/local/allegheny-county-authorizes-up-18m-tree-life-redevelopment/G7TAIXKSUVDK7BB7X3TR3J5Q4E/ * Pennsylvania's Missing Fertility-Coverage Mandate Latest developments: PublicSource reported June 26 that Pennsylvania, unlike half of U.S. states, requires no insurance coverage for fertility treatment even as the Pittsburgh region courts more young families. Pennsylvania mandates no insurance coverage for fertility treatments such as IVF, while 25 states require some, a gap PublicSource links to the state's stagnant population and Pittsburgh's effort to attract families. - PublicSource: https://www.publicsource.org/pennsylvania-insurance-fertility-treatment/ * Commercial Street Closed a Second Day for Bridge Test Latest developments: PennDOT closed Commercial Street again on June 26 for a second straight day of testing the equipment that will slide the new span into place, without explaining why the extra day was needed. PennDOT crews shut Commercial Street near Frick Park for a second consecutive day to test the system that will move a roughly 22-million-pound replacement bridge span into position next month. - WTAE: https://www.wtae.com/article/commercial-street-closed-for-second-day-as-penndot-crews-do-more-testing/71740865 SPORTS ---------------------------------------------------------------- Pirates (41-40) Thu Jun 25 · Mariners 1 · Pirates 5 · Final Brandon Lowe, Henry Davis each homer to lead Pirates over Mariners 5-1 https://plaintextsports.com/mlb/2026-06-25/sea-pit Up Next · Reds @ Pirates · Fri Jun 26, 6:40 PM https://plaintextsports.com/mlb/2026-06-26/cin-pit Around the Teams: * Pirates Celebrate Don Kelly's 100th Win Latest developments: The Post-Gazette chronicled June 26 the Pirates marking manager Don Kelly's 100th career victory, with players and staff praising his leadership. Pirates players and front office celebrated manager Don Kelly reaching 100 career wins, a milestone the Post-Gazette framed around clubhouse respect and hopes for a postseason push. - Post-Gazette Pirates: https://www.post-gazette.com/sports/pirates/2026/06/26/kelly-100-wins-manager-mlb-postseason/stories/202606250057 * Pirates Open Legacy Hall at PNC Park Latest developments: The Post-Gazette detailed June 25 the Pirates' new Legacy Hall at PNC Park, a history space the team says will let fans 'see a lot of history.' The Pirates are opening Legacy Hall at PNC Park, an exhibit space showcasing franchise and Pittsburgh baseball history for fans young and old. - Post-Gazette Pirates: https://www.post-gazette.com/sports/pirates/2026/06/25/legacy-hall-pnc-park-pittsburgh-baseball-history/stories/202606240069 * Dulac Fields Steelers Offseason Questions Latest developments: In his June 24 chat, Post-Gazette beat writer Gerry Dulac took reader questions on cornerback Joey Porter Jr., the quarterback room, and the roster heading toward training camp. Post-Gazette Steelers beat writer Gerry Dulac answered reader questions covering Joey Porter Jr., quarterbacks Aaron Rodgers, Will Howard, and rookie Drew Allar, and Pittsburgh's roster outlook for 2026. - Post-Gazette Steelers: https://www.post-gazette.com/sports/steelers/2026/06/24/nfl-news-joey-porter-rodgers-mccarthy-will-howard-allar/stories/202606240035 Team USA: * Pochettino Defends Group Win After Türkiye Loss Latest developments: After the United States lost 3-2 to Türkiye on June 25, coach Mauricio Pochettino turned combative with reporters, insisting his side still 'won the group,' while backup keeper Matt Turner drew blame for the late collapse. The United States, already through as Group D winners, fell 3-2 to Türkiye on Kaan Ayhan's final-kick goal at SoFi Stadium with a rotated lineup; Pochettino pushed back on 'weird' postgame questions, ESPN graded reserve goalkeeper Matt Turner 3/10, and the U.S. now meets Bosnia and Herzegovina in the round of 32 at Santa Clara on Wednesday, July 1. - ESPN Soccer: https://www.espn.com/soccer/story/_/id/49183528/pochettino-puzzled-media-questions-us-wins-group - ESPN Soccer: https://www.espn.com/soccer/story/_/id/49181937/usa-bosnia-herzegovina-world-cup-round-32-knockout READING ---------------------------------------------------------------- * Stratechery -- An Interview with Figma CEO Dylan Field About Design and AI Field walks through how Figma built its design platform and argues that AI works as a tailwind for the company rather than a threat to it. https://stratechery.com/2026/an-interview-with-figma-ceo-dylan-field-about-design-and-ai/ * Ed Zitron -- Cargo Culture Zitron argues the AI industry increasingly mimics the surface rituals and trappings of transformative technology while lacking the economics or product substance to justify its valuations. https://www.wheresyoured.at/cargo-culture/ * Cal Newport -- Dear AI Companies: Stop the "Doom Trolling" Newport criticizes AI firms for publicizing alarming claims about their own products' dangers, likening it to Ford warning its F-150 might be uncontrollable, and casts the practice as a marketing tactic that erodes trust. https://calnewport.com/dear-ai-companies-stop-the-doom-trolling/ MARKETS (weekly average, change vs prior week) ---------------------------------------------------------------- S&P 500 7,410.91 ▼ -0.7% Dow 51,742.75 ▲ +0.6% Nasdaq 25,821.36 ▼ -1.3% WTI crude 73.38 ▼ -9.7% EUR/USD 1.1416 ▼ -1.4% GBP/USD 1.3205 ▼ -1.5% USD/JPY 161.53 ▲ +0.8% ================================================================ Generated 2026-06-26 09:06 EDT. Sources: 24 security feeds; 9 Pittsburgh feeds; 4 Pittsburgh arts and events feeds; 6 Pittsburgh sports beat and podcast feeds; 4 Team USA feeds; the Wall Street Journal, the Economist, and the Financial Times; and Ed Zitron, Stratechery, Cal Newport. Markets from Yahoo Finance, weather from the NWS, scores from ESPN. Summaries are AI-generated from the linked reporting; verify at the sources. ================================================================