================================================================ INFOSECFOLLOW -- security, markets, business, pittsburgh Friday, June 26, 2026 - 12:05 PM EDT ================================================================ A flaw in Amazon's Q Developer assistant let malicious repositories steal cloud credentials through Model Context Protocol configs, sharpening the day's theme that AI coding tools and agents now anchor the software supply chain's attack surface. CONTENTS: Emerging Trends and Key Updates | Security | Business and Politics | Pittsburgh | Sports | Reading | Markets EMERGING TRENDS AND KEY UPDATES ---------------------------------------------------------------- * [TREND] Third-party suppliers remain the soft entry point, as the cascading Klue-Salesforce breach now hits two dozen firms and a compromised vendor drained about $3 million from Polymarket users. see: Third-Party Breaches Multiply: Klue, Polymarket, Passports * [TREND] AI coding assistants keep widening the attack surface, as AWS patched CVE-2026-12957 in Amazon Q Developer after researchers showed a malicious repository could steal a developer's cloud credentials. see: Amazon Q Developer Flaw Steals Cloud Credentials * [TREND] State-sponsored espionage intensified as Russia's Turla aimed its new STOCKSTAY backdoor at Ukrainian government and military targets while Kaspersky exposed StrikeShark, a global campaign using the SharkLoader dropper. see: Turla Deploys STOCKSTAY Backdoor in Ukraine; New Malware Surfaces: StrikeShark and Gaslight * [UPDATE (new)] Defenders face fresh in-the-wild threats after CISA flagged actively exploited PTC Windchill RCE CVE-2026-12569 and a working pedit COW exploit surfaced a day after the Linux kernel CVE. see: PTC Windchill RCE Exploited in the Wild; pedit COW Linux Kernel Root Exploit * [TREND] AI-valuation rout dragged the Nasdaq to a fifth losing day as commentators sharpened critiques: Zitron's cargo-cult takedown, Newport's doom-trolling rebuke, and Figma's Dylan Field offered a sunnier view. see: AI-Driven Selloff Reaches Fifth Day; Cargo Culture; Dear AI Companies: Stop the "Doom Trolling"; An Interview with Figma CEO Dylan Field About Design and AI SECURITY ---------------------------------------------------------------- 1. TURLA DEPLOYS STOCKSTAY BACKDOOR IN UKRAINE Nation-State Activity · [apt, espionage] Latest developments: Google Threat Intelligence Group detailed STOCKSTAY, a previously undocumented .NET Windows backdoor that the Russian group Turla continually develops and has aimed at Ukrainian government and military organizations plus entities interested in Italian foreign policy, while Ukraine's SBU described a long-running Russian operation that posed as tech-support staff to phish credentials for prominent messaging accounts. Turla is an FSB-linked Russian espionage group. STOCKSTAY gives it persistent espionage access on Windows machines across Ukrainian defense and government targets. Defenders should hunt for the new .NET implant and harden messaging-account recovery. - The Record: https://therecord.media/russia-turla-espionage-ukraine-stockstay-malware - The Hacker News: https://thehackernews.com/2026/06/google-details-turlas-new-stockstay.html - SecurityWeek: https://www.securityweek.com/russian-apt-deploys-stockstay-backdoor-against-ukrainian-targets/ - The Record: https://therecord.media/russia-ukraine-social-engineering-messaging-accounts 2. THIRD-PARTY BREACHES MULTIPLY: KLUE, POLYMARKET, PASSPORTS Data Breaches · [breach, supply-chain, ransomware] Latest developments: Roughly two dozen companies have now notified customers of the Klue-Salesforce breach even as the attackers themselves got hacked; Polymarket said hackers stole about $3 million from some users through a compromised third-party vendor; a database of nearly a million passports surfaced online after attackers breached a cannabis-dispensary ID-verification system; and Black Kite's 2026 European Cyber Risk Report, drawn from 2,066 incidents across 31 countries, tied a first-quarter ransomware surge to third-party suppliers. Each incident traces back to a partner or vendor rather than the victim's own perimeter, and the passport leak shows a high-value credential exposed through a low-value ancillary system. Inventory third-party access and demand breach notification from suppliers. - SecurityWeek: https://www.securityweek.com/more-klue-breach-victims-identified-as-hackers-get-hacked/ - SecurityWeek: https://www.securityweek.com/3-million-reportedly-stolen-in-polymarket-hack/ - Schneier on Security: https://www.schneier.com/blog/archives/2026/06/one-million-passports-leaked-online.html - Help Net Security: https://www.helpnetsecurity.com/2026/06/26/black-kite-european-cyber-threats-report/ 3. AMAZON Q DEVELOPER FLAW STEALS CLOUD CREDENTIALS AI Security · [ai, patch, supply-chain] Latest developments: AWS patched CVE-2026-12957, a high-severity bug rated CVSS 8.5 in how Amazon Q Developer handled Model Context Protocol servers, after researchers showed a malicious repository could run commands and steal a developer's cloud credentials the moment the developer opened the repo and trusted the workspace; Amazon published its own advisory. Amazon Q Developer is Amazon's AI coding assistant. A booby-trapped repository abused the assistant's MCP server handling to execute attacker commands and exfiltrate AWS credentials. Apply the fix and review which workspaces you trust. - SecurityWeek: https://www.securityweek.com/amazon-q-flaw-enabled-cloud-credential-theft-via-malicious-repositories/ - The Hacker News: https://thehackernews.com/2026/06/amazon-q-developer-flaw-could-let.html 4. PTC WINDCHILL RCE EXPLOITED IN THE WILD Vulnerabilities and Exploits · [rce, patch, exploit] Latest developments: CISA added CVE-2026-12569, a critical remote-code-execution flaw in PTC Windchill PDMLink and FlexPLM product-data and lifecycle-management software, to its Known Exploited Vulnerabilities catalog on June 26 after confirming active exploitation, with web-shell attacks against internet-facing servers continuing. PTC Windchill manages product data and lifecycle workflows for manufacturers. Attackers exploit the flaw to plant web shells and run code on exposed servers. Federal agencies and manufacturers should patch immediately and hunt for web shells. - The Hacker News: https://thehackernews.com/2026/06/cisa-adds-exploited-ptc-windchill-rce.html - SecurityWeek: https://www.securityweek.com/first-ever-exploitation-of-ptc-windchill-vulnerability-discovered-in-the-wild/ 5. NEW MALWARE SURFACES: STRIKESHARK AND GASLIGHT Malware and Threat Intelligence · [malware, espionage, ai] Latest developments: Kaspersky uncovered StrikeShark, a global espionage campaign that uses a previously unknown dropper called SharkLoader to compromise government organizations and software-development companies across several countries, first spotted in an attack on a diplomatic organization in Indonesia, while separate researchers detailed Gaslight, macOS malware that hides prompt-injection strings and fake debugging data inside its executable to confuse AI-assisted analysis tools. StrikeShark gives unattributed operators espionage access to governments and developer shops worldwide. Gaslight shows attackers now engineer malware specifically to mislead AI reverse-engineering tools. Treat AI analysis output as advisory and verify manually. - Help Net Security: https://www.helpnetsecurity.com/2026/06/26/sharkloader-dropper-governments-software-developers/ - BleepingComputer: https://www.bleepingcomputer.com/news/security/new-macos-malware-embeds-fake-errors-to-confuse-ai-analysis-tools/ 6. PEDIT COW LINUX KERNEL ROOT EXPLOIT Vulnerabilities and Exploits · [privilege-escalation, linux, exploit] Latest developments: A public, working exploit for CVE-2026-46331, nicknamed pedit COW, an out-of-bounds write in the Linux kernel's traffic-control act_pedit packet-editing action that corrupts shared page-cache memory, appeared within a day of the CVE's June 16 assignment and lets a local unprivileged user gain root; Red Hat rates the flaw high severity. The flaw lets any local user on an affected Linux system poison cached binaries and escalate to root. Apply the kernel patch across servers and workstations. - The Hacker News: https://thehackernews.com/2026/06/new-linux-pedit-cow-exploit-enables.html BUSINESS AND POLITICS ---------------------------------------------------------------- * AI-Driven Selloff Reaches Fifth Day Latest developments: The Nasdaq Composite fell for a fifth straight session on June 26, its longest losing streak of 2026, extending the AI-valuation rout reported earlier this week. A five-day slide in U.S. technology shares, driven by fears that the artificial-intelligence spending rally has overstretched, pushed the Nasdaq Composite toward its longest losing streak of the year as investors sold to lock in profits. - Financial Times: https://www.ft.com/content/bb70e272-5b09-4806-8b19-7c03c350f580 PITTSBURGH ---------------------------------------------------------------- Weather: This Afternoon: Cloudy, high 81F. Tonight: Showers And Thunderstorms, low 64F. Saturday: Showers And Thunderstorms Likely then Slight Chance Showers And Thunderstorms, high 80F. Business: * County Pension Crisis May Force Tax Hike Latest developments: The Post-Gazette reported June 26 that Allegheny County's pension funding shortfall could drive a large spending increase and possibly another property-tax hike. Allegheny County faces a pension funding crisis that finance officials warn could require a major jump in contributions, putting another county tax increase on the table after this year's rise. - Pittsburgh Post-Gazette: https://www.post-gazette.com/news/politics-local/2026/06/26/allegheny-county-pension-funding-crisis-tax/stories/202606260051 * $39.3M Health Research Grant to Pittsburgh Team Latest developments: WPXI reported June 26 that the Advanced Research Projects Agency for Health awarded up to $39.3 million to a team including Carnegie Mellon University, the University of Pittsburgh, UPMC, and Magee-Womens Research Institute. A multi-institution team anchored by Carnegie Mellon, Pitt, UPMC, and the Magee-Womens Research Institute won up to $39.3 million from the federal ARPA-H program, channeling significant research funding into the region's medical and academic economy. - WPXI: https://www.wpxi.com/news/local/393m-arpa-h-grant-awarded-team-that-includes-cmu-pitt-upmc-mwri/GOOEKI2FGFAPREYQ2M2V2JEEYA/ Around town: * Woodland Hills Superintendent Removal Hearing Ends Latest developments: KDKA reported June 26 that closing arguments turned tense in the final session of the hearing over the firing of Woodland Hills superintendent Joe Maluchnik. Woodland Hills superintendent Joe Maluchnik, whom the school board voted to fire over accusations of gender-based discrimination and harassment, defended himself across a five-night, courtroom-style appeal hearing that closed with disputed claims from district staff. - KDKA: https://www.cbsnews.com/pittsburgh/news/woodland-hills-superintendent-closing-arguments-hearing/ * Penn State Staff Eye Union After Faculty Latest developments: The Post-Gazette reported June 26 that a group of Penn State staff members hopes to follow the university's newly unionized faculty by organizing themselves. After Penn State faculty unionized, a group of university staff members is now pushing to organize, testing whether the labor movement on campus extends beyond the teaching ranks. - Pittsburgh Post-Gazette: https://www.post-gazette.com/news/education/2026/06/26/penn-state-union/stories/202606260011 Events: * South Side Street Fest Returns Latest developments: WPXI reported June 26 that the South Side Street Fest returns Friday and Saturday after a successful opening night. The South Side Street Fest, a neighborhood street festival in Pittsburgh's South Side, runs again Friday and Saturday, June 26 and 27, building on a strong first night. - WPXI: https://www.wpxi.com/news/local/south-side-street-fest-will-return-this-weekend-after-successful-first-night/XBT5CEAJ6RCKHKZ4NFPWZJKQY4/ SPORTS ---------------------------------------------------------------- Pirates (41-40) Thu Jun 25 · Mariners 1 · Pirates 5 · Final Brandon Lowe, Henry Davis each homer to lead Pirates over Mariners 5-1 https://plaintextsports.com/mlb/2026-06-25/sea-pit Up Next · Reds @ Pirates · Fri Jun 26, 6:40 PM https://plaintextsports.com/mlb/2026-06-26/cin-pit Around the Teams: * Pirates Mailbag: Challenges, Voting, Deadline Latest developments: The Post-Gazette's June 26 Pirates mailbag took up the team's poor automated ball-strike challenge success rate, All-Star voting, and the trade deadline. In a June 26 mailbag, the Post-Gazette weighed the Pirates' weak record on automated ball-strike system challenges, All-Star Game voting for Paul Skenes and Brandon Lowe, and whether the club should buy or sell before the MLB trade deadline. - Pittsburgh Post-Gazette: https://www.post-gazette.com/sports/pirates/2026/06/26/mlb-allstar-skenes-mlodzinski-lowe-voting-trade-deadline-abs/stories/202606260028 Team USA: * USMNT Draws Bosnia in Round of 32 Latest developments: FIFA confirmed the United States will meet Bosnia-Herzegovina in the World Cup round of 32 in Santa Clara, California, on Wednesday, July 1. The United States men's national team, which advanced from Group D as a tournament co-host despite a 3-2 loss to Türkiye, will play Bosnia-Herzegovina in the World Cup round of 32 in Santa Clara, California, on Wednesday, July 1. - ESPN Soccer: https://www.espn.com/soccer/story/_/id/49181937/usa-bosnia-herzegovina-world-cup-round-32-knockout * Bode Miller Drug Charges to Be Dropped Latest developments: An Idaho prosecutor said June 26 that misdemeanor drug charges against Olympic gold-medal skier Bode Miller will be dismissed. Misdemeanor drug charges against Olympic gold-medal skier Bode Miller will be dropped, an Idaho prosecutor said, even though investigators had probable cause for the arrest. - ESPN Olympics: https://www.espn.com/olympics/story/_/id/49187302/prosecutor-drop-drug-case-former-olympic-skier-bode-miller READING ---------------------------------------------------------------- * Stratechery -- An Interview with Figma CEO Dylan Field About Design and AI Dylan Field discusses how he built Figma and lays out why he believes artificial intelligence works as a tailwind for the design company rather than a threat to it. https://stratechery.com/2026/an-interview-with-figma-ceo-dylan-field-about-design-and-ai/ * Ed Zitron -- Cargo Culture Zitron argues that much of the tech and AI industry behaves like a cargo cult, imitating the outward rituals and spending habits of successful companies while missing the substance that made them work. https://www.wheresyoured.at/cargo-culture/ * Cal Newport -- Dear AI Companies: Stop the "Doom Trolling" Newport, using an analogy of Ford warning that its own F-150 is alarmingly dangerous, argues AI companies should stop publicly hyping the perils of their own products as a backdoor marketing tactic. https://calnewport.com/dear-ai-companies-stop-the-doom-trolling/ MARKETS (weekly average, change vs prior week) ---------------------------------------------------------------- S&P 500 7,410.91 ▼ -0.7% Dow 51,742.75 ▲ +0.6% Nasdaq 25,821.36 ▼ -1.3% WTI crude 73.38 ▼ -9.7% EUR/USD 1.1416 ▼ -1.4% GBP/USD 1.3205 ▼ -1.5% USD/JPY 161.53 ▲ +0.8% ================================================================ Generated 2026-06-26 12:05 EDT. Sources: 24 security feeds; 9 Pittsburgh feeds; 4 Pittsburgh arts and events feeds; 6 Pittsburgh sports beat and podcast feeds; 4 Team USA feeds; the Wall Street Journal, the Economist, and the Financial Times; and Ed Zitron, Stratechery, Cal Newport. Markets from Yahoo Finance, weather from the NWS, scores from ESPN. Summaries are AI-generated from the linked reporting; verify at the sources. ================================================================