infosecfollow

daily plain-text briefing: security, markets, business, and pittsburgh

A flaw in Amazon's Q Developer assistant let malicious repositories steal cloud credentials through Model Context Protocol configs, sharpening the day's theme that AI coding tools and agents now anchor the software supply chain's attack surface.

Emerging Trends and Key Updates

Trend Third-party suppliers remain the soft entry point, as the cascading Klue-Salesforce breach now hits two dozen firms and a compromised vendor drained about $3 million from Polymarket users.
Trend AI coding assistants keep widening the attack surface, as AWS patched CVE-2026-12957 in Amazon Q Developer after researchers showed a malicious repository could steal a developer's cloud credentials.
Trend State-sponsored espionage intensified as Russia's Turla aimed its new STOCKSTAY backdoor at Ukrainian government and military targets while Kaspersky exposed StrikeShark, a global campaign using the SharkLoader dropper.
Update · new Defenders face fresh in-the-wild threats after CISA flagged actively exploited PTC Windchill RCE CVE-2026-12569 and a working pedit COW exploit surfaced a day after the Linux kernel CVE.
Trend AI-valuation rout dragged the Nasdaq to a fifth losing day as commentators sharpened critiques: Zitron's cargo-cult takedown, Newport's doom-trolling rebuke, and Figma's Dylan Field offered a sunnier view.

Security

1. Turla Deploys STOCKSTAY Backdoor in Ukraine

Nation-State Activity · [apt, espionage]

Latest developments: Google Threat Intelligence Group detailed STOCKSTAY, a previously undocumented .NET Windows backdoor that the Russian group Turla continually develops and has aimed at Ukrainian government and military organizations plus entities interested in Italian foreign policy, while Ukraine's SBU described a long-running Russian operation that posed as tech-support staff to phish credentials for prominent messaging accounts.

Turla is an FSB-linked Russian espionage group. STOCKSTAY gives it persistent espionage access on Windows machines across Ukrainian defense and government targets. Defenders should hunt for the new .NET implant and harden messaging-account recovery.

Sources: The Record · The Hacker News · SecurityWeek · The Record · ↑ top

2. Third-Party Breaches Multiply: Klue, Polymarket, Passports

Data Breaches · [breach, supply-chain, ransomware]

Latest developments: Roughly two dozen companies have now notified customers of the Klue-Salesforce breach even as the attackers themselves got hacked; Polymarket said hackers stole about $3 million from some users through a compromised third-party vendor; a database of nearly a million passports surfaced online after attackers breached a cannabis-dispensary ID-verification system; and Black Kite's 2026 European Cyber Risk Report, drawn from 2,066 incidents across 31 countries, tied a first-quarter ransomware surge to third-party suppliers.

Each incident traces back to a partner or vendor rather than the victim's own perimeter, and the passport leak shows a high-value credential exposed through a low-value ancillary system. Inventory third-party access and demand breach notification from suppliers.

Sources: SecurityWeek · SecurityWeek · Schneier on Security · Help Net Security · ↑ top

3. Amazon Q Developer Flaw Steals Cloud Credentials

AI Security · [ai, patch, supply-chain]

Latest developments: AWS patched CVE-2026-12957, a high-severity bug rated CVSS 8.5 in how Amazon Q Developer handled Model Context Protocol servers, after researchers showed a malicious repository could run commands and steal a developer's cloud credentials the moment the developer opened the repo and trusted the workspace; Amazon published its own advisory.

Amazon Q Developer is Amazon's AI coding assistant. A booby-trapped repository abused the assistant's MCP server handling to execute attacker commands and exfiltrate AWS credentials. Apply the fix and review which workspaces you trust.

Sources: SecurityWeek · The Hacker News · ↑ top

4. PTC Windchill RCE Exploited in the Wild

Vulnerabilities and Exploits · [rce, patch, exploit]

Latest developments: CISA added CVE-2026-12569, a critical remote-code-execution flaw in PTC Windchill PDMLink and FlexPLM product-data and lifecycle-management software, to its Known Exploited Vulnerabilities catalog on June 26 after confirming active exploitation, with web-shell attacks against internet-facing servers continuing.

PTC Windchill manages product data and lifecycle workflows for manufacturers. Attackers exploit the flaw to plant web shells and run code on exposed servers. Federal agencies and manufacturers should patch immediately and hunt for web shells.

Sources: The Hacker News · SecurityWeek · ↑ top

5. New Malware Surfaces: StrikeShark and Gaslight

Malware and Threat Intelligence · [malware, espionage, ai]

Latest developments: Kaspersky uncovered StrikeShark, a global espionage campaign that uses a previously unknown dropper called SharkLoader to compromise government organizations and software-development companies across several countries, first spotted in an attack on a diplomatic organization in Indonesia, while separate researchers detailed Gaslight, macOS malware that hides prompt-injection strings and fake debugging data inside its executable to confuse AI-assisted analysis tools.

StrikeShark gives unattributed operators espionage access to governments and developer shops worldwide. Gaslight shows attackers now engineer malware specifically to mislead AI reverse-engineering tools. Treat AI analysis output as advisory and verify manually.

Sources: Help Net Security · BleepingComputer · ↑ top

6. pedit COW Linux Kernel Root Exploit

Vulnerabilities and Exploits · [privilege-escalation, linux, exploit]

Latest developments: A public, working exploit for CVE-2026-46331, nicknamed pedit COW, an out-of-bounds write in the Linux kernel's traffic-control act_pedit packet-editing action that corrupts shared page-cache memory, appeared within a day of the CVE's June 16 assignment and lets a local unprivileged user gain root; Red Hat rates the flaw high severity.

The flaw lets any local user on an affected Linux system poison cached binaries and escalate to root. Apply the kernel patch across servers and workstations.

Sources: The Hacker News · ↑ top

Business and Politics

AI-Driven Selloff Reaches Fifth Day

Latest developments: The Nasdaq Composite fell for a fifth straight session on June 26, its longest losing streak of 2026, extending the AI-valuation rout reported earlier this week.

A five-day slide in U.S. technology shares, driven by fears that the artificial-intelligence spending rally has overstretched, pushed the Nasdaq Composite toward its longest losing streak of the year as investors sold to lock in profits.

Sources: Financial Times · ↑ top

Pittsburgh

Weather

This Afternoon: Cloudy, high 81F.

Tonight: Showers And Thunderstorms, low 64F.

Saturday: Showers And Thunderstorms Likely then Slight Chance Showers And Thunderstorms, high 80F.

Business

County Pension Crisis May Force Tax Hike

Latest developments: The Post-Gazette reported June 26 that Allegheny County's pension funding shortfall could drive a large spending increase and possibly another property-tax hike.

Allegheny County faces a pension funding crisis that finance officials warn could require a major jump in contributions, putting another county tax increase on the table after this year's rise.

Sources: Pittsburgh Post-Gazette · ↑ top

$39.3M Health Research Grant to Pittsburgh Team

Latest developments: WPXI reported June 26 that the Advanced Research Projects Agency for Health awarded up to $39.3 million to a team including Carnegie Mellon University, the University of Pittsburgh, UPMC, and Magee-Womens Research Institute.

A multi-institution team anchored by Carnegie Mellon, Pitt, UPMC, and the Magee-Womens Research Institute won up to $39.3 million from the federal ARPA-H program, channeling significant research funding into the region's medical and academic economy.

Sources: WPXI · ↑ top

Around Town

Woodland Hills Superintendent Removal Hearing Ends

Latest developments: KDKA reported June 26 that closing arguments turned tense in the final session of the hearing over the firing of Woodland Hills superintendent Joe Maluchnik.

Woodland Hills superintendent Joe Maluchnik, whom the school board voted to fire over accusations of gender-based discrimination and harassment, defended himself across a five-night, courtroom-style appeal hearing that closed with disputed claims from district staff.

Sources: KDKA · ↑ top

Penn State Staff Eye Union After Faculty

Latest developments: The Post-Gazette reported June 26 that a group of Penn State staff members hopes to follow the university's newly unionized faculty by organizing themselves.

After Penn State faculty unionized, a group of university staff members is now pushing to organize, testing whether the labor movement on campus extends beyond the teaching ranks.

Sources: Pittsburgh Post-Gazette · ↑ top

Events

South Side Street Fest Returns

Latest developments: WPXI reported June 26 that the South Side Street Fest returns Friday and Saturday after a successful opening night.

The South Side Street Fest, a neighborhood street festival in Pittsburgh's South Side, runs again Friday and Saturday, June 26 and 27, building on a strong first night.

Sources: WPXI · ↑ top

Sports

Pirates (41-40)

Thu Jun 25 · Mariners 1 · Pirates 5 · Final

Brandon Lowe, Henry Davis each homer to lead Pirates over Mariners 5-1

Up Next · Reds @ Pirates · Fri Jun 26, 6:40 PM

Around the Teams

Pirates Mailbag: Challenges, Voting, Deadline

Latest developments: The Post-Gazette's June 26 Pirates mailbag took up the team's poor automated ball-strike challenge success rate, All-Star voting, and the trade deadline.

In a June 26 mailbag, the Post-Gazette weighed the Pirates' weak record on automated ball-strike system challenges, All-Star Game voting for Paul Skenes and Brandon Lowe, and whether the club should buy or sell before the MLB trade deadline.

Sources: Pittsburgh Post-Gazette · ↑ top

Team USA

USMNT Draws Bosnia in Round of 32

Latest developments: FIFA confirmed the United States will meet Bosnia-Herzegovina in the World Cup round of 32 in Santa Clara, California, on Wednesday, July 1.

The United States men's national team, which advanced from Group D as a tournament co-host despite a 3-2 loss to Türkiye, will play Bosnia-Herzegovina in the World Cup round of 32 in Santa Clara, California, on Wednesday, July 1.

Sources: ESPN Soccer · ↑ top

Bode Miller Drug Charges to Be Dropped

Latest developments: An Idaho prosecutor said June 26 that misdemeanor drug charges against Olympic gold-medal skier Bode Miller will be dismissed.

Misdemeanor drug charges against Olympic gold-medal skier Bode Miller will be dropped, an Idaho prosecutor said, even though investigators had probable cause for the arrest.

Sources: ESPN Olympics · ↑ top

Reading

Stratechery — An Interview with Figma CEO Dylan Field About Design and AI. Dylan Field discusses how he built Figma and lays out why he believes artificial intelligence works as a tailwind for the design company rather than a threat to it.
Ed Zitron — Cargo Culture. Zitron argues that much of the tech and AI industry behaves like a cargo cult, imitating the outward rituals and spending habits of successful companies while missing the substance that made them work.
Cal Newport — Dear AI Companies: Stop the "Doom Trolling". Newport, using an analogy of Ford warning that its own F-150 is alarmingly dangerous, argues AI companies should stop publicly hyping the perils of their own products as a backdoor marketing tactic.

Markets

weekly average, change vs prior week

S&P 500     7,410.91  ▼ -0.7%
Dow        51,742.75  ▲ +0.6%
Nasdaq     25,821.36  ▼ -1.3%
WTI crude      73.38  ▼ -9.7%
EUR/USD       1.1416  ▼ -1.4%
GBP/USD       1.3205  ▼ -1.5%
USD/JPY       161.53  ▲ +0.8%