In this week’s news: PayPal discloses extended data leak linked to Loan App glitch, AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries, Hackers Hide Pulsar RAT Inside PNG Images in New NPM Supply Chain Attack, MuddyWater Targets MENA Organizations, Identity verification systems are struggling with synthetic fraud and ESET Research discovers PromptSpy, the first Android threat to use generative AI

Subscribe to this newsletter
Check out our Services

PayPal has disclosed a data breach caused by a software bug in its PayPal Working Capital loan app. The flaw exposed sensitive customer information, including customers’ business contact details (name, email, phone number, address), along with Social Security numbers and dates of birth, since July 1, 2025, before it was discovered and fixed
https://securityaffairs.com/188309/data-breach/paypal-discloses-extended-data-leak-linked-to-loan-app-glitch.html

ESET researchers have discovered PromptSpy, the first known Android malware to abuse generative AI in its execution flow to achieve persistence. It is the first time generative AI has been deployed in this manner. Because the attackers rely on prompting an AI model (specifically, Google’s Gemini) to guide malicious UI manipulation, ESET has named this family PromptSpy.
https://www.eset.com/us/about/newsroom/research/eset-research-discovers-promptspy-first-android-threat-using-genai

A new type of cyberattack has been discovered that uses ordinary images to hide a dangerous virus. Experts at Veracode Threat Research found a malicious package on NPM, which is a massive website used by millions of software developers to share tools. The package was designed to look like a normal piece of software, but its real goal was to take over a person’s computer.
https://hackread.com/hackers-pulsar-rat-png-images-npm-supply-chain-attack/

Amazon Threat Intelligence observed a Russian-speaking financially motivated threat actor leveraging multiple commercial generative AI services to compromise over 600 FortiGate devices across more than 55 countries from January 11 to February 18, 2026. No exploitation of FortiGate vulnerabilities was observed—instead, this campaign succeeded by exploiting exposed management ports and weak credentials with single-factor authentication, fundamental security gaps that AI helped an unsophisticated actor exploit at scale.
https://aws.amazon.com/blogs/security/ai-augmented-threat-actor-accesses-fortigate-devices-at-scale/

The Iranian hacking group known as MuddyWater (aka Earth Vetala, Mango Sandstorm, and MUDDYCOAST) has targeted several organizations and individuals mainly located across the Middle East and North Africa (MENA) region as part of a new campaign codenamed Operation Olalampo.
https://thehackernews.com/2026/02/muddywater-targets-mena-organizations.html

Fake and expired IDs keep showing up in routine customer transactions, from alcohol purchases to credit card applications. The problem shows up most often in industries that depend on fast onboarding and remote transactions, where identity checks rely heavily on scanned documents and automated workflows.
https://www.helpnetsecurity.com/2026/02/23/analysis-identity-verification-fraud-report/

The French Ministry of Finance has disclosed a cybersecurity incident that impacted data associated with 1.2 million user accounts. The investigation discovered that hackers gained access to the national bank account registry (FICOBA) and stole a database containing sensitive information.

The FBI warns ATM jackpotting is rising nationwide, with over $20 million lost in 2025 and 1,900 incidents reported since 2020.
https://securityaffairs.com/188281/cyber-crime/fbi-warns-of-surge-in-atm-jackpotting-20-million-lost-in-2025.html

A new Android banking malware, which researchers named Massiv, is posing as an IPTV app to steal digital identities and access online banking accounts. The malware relies on screen overlays and keylogging to obtain sensitive data and can take remote control of a compromised device.
https://www.bleepingcomputer.com/news/security/new-massiv-android-banking-malware-poses-as-an-iptv-app/

A newly uncovered phishing kit allows cybercriminals to steal usernames and passwords with a toolkit which spoofs live login pages and bypasses multi-factor authentication (MFA) protections, cybersecurity analysts have warned.
https://www.infosecurity-magazine.com/news/starkiller-phishing-kit-bypasses/

Texas sued networking giant TP-Link Systems, accusing the company of deceptively marketing its routers as secure while allowing Chinese state-backed hackers to exploit firmware vulnerabilities and access users' devices.
https://www.bleepingcomputer.com/news/security/texas-sues-tp-link-over-chinese-hacking-risks-user-deception/

Cybersecurity researchers have disclosed details of a new ClickFix campaign that abuses compromised legitimate sites to deliver a previously undocumented remote access trojan (RAT) called MIMICRAT (aka AstarionRAT).
https://thehackernews.com/2026/02/clickfix-campaign-abuses-compromised.html