THREAT FEED

Fraudulent PayPal invoices sent to remote workers claiming charges for software licenses or IT services. Invoices include legitimate PayPal phone numbers replaced with scam call centers that request remote access to victims' computers.

Critical vulnerability discovered in Xfinity xFi gateway routers allowing unauthenticated remote code execution. Firmware versions prior to 3.2.1 are affected. Attackers can gain full control of the router and intercept all network traffic.

Surge in SIM swap attacks targeting cryptocurrency holders with Verizon accounts. Attackers use social engineering at Verizon retail stores to port numbers, then access cryptocurrency exchanges and PayPal accounts linked to the phone number.

Attackers exploiting misconfigured Slack incoming webhooks to exfiltrate sensitive data from private channels. Organizations with default webhook permissions are particularly vulnerable. Data is sent to attacker-controlled servers via outbound webhook posts.

Data breach at Chicago Public Schools exposed records of 500,000+ students and staff. Compromised data includes names, emails, student IDs, and Google Workspace credentials used for remote learning platforms.

New attack vector exploiting Google Workspace OAuth consent flow to steal long-lived access tokens. Malicious third-party apps request broad permissions and exfiltrate email, Drive, and Calendar data. Particularly targeting organizations using Slack-Gmail integrations.

Unit 42 discovered FinPhish, a phishing-as-a-service kit generating highly convincing replicas of PayPal and Amazon login pages. Kit includes real-time OTP interception, browser fingerprinting evasion, and automatic credential validation against live services.

Compromised npm packages discovered containing backdoors that exfiltrate environment variables and SSH keys. Over 45,000 downloads before removal. Developers using VS Code and Slack desktop apps with Node.js backends may be affected.

Critical vulnerability in Microsoft Outlook allows remote code execution via specially crafted calendar invitations. No user interaction required. Affects Outlook desktop clients on Windows. Patch available in March 2026 security update.

Philadelphia's SEPTA transit authority hit by ransomware attack affecting payment systems and real-time tracking. Customer payment card data from the past 6 months may be compromised. Riders advised to monitor credit card statements.

Unsecured Verizon API endpoint exposed customer records including names, addresses, phone numbers, and account PINs for approximately 7.5 million customers in the NYC metro area. The endpoint was publicly accessible for an estimated 3 weeks before being secured.