China-linked actors exploited hosting compromise to hijack Notepad++ updater

🇨🇳China

SoftwareCybersecurityTelecommunicationsFinancial Services

Mon, Feb 2, 2026

InsightsWire News2026

Notepad++ has revealed technical findings after investigators traced a targeted campaign that manipulated the editor’s update distribution. The intrusion did not arise from flaws in the application code but from control gained over infrastructure used to serve updates, enabling selective redirection of certain update requests to adversary-controlled endpoints. External analysts assessing telemetry and attack patterns concluded the operation bears hallmarks of a state-directed actor based in China, which aligns with the carefully chosen targets observed during the campaign. Initial exploitation appears to have begun in mid-2025, with the compromised host remaining under attacker control until early September, and unauthorized credentials later permitting access to internal provider systems up to December. During that window the adversary could supply poisoned update manifests to a subset of users, giving attackers a stealthy route for delivering malware to organizations in telecoms and financial sectors across East Asia. The hosting provider’s investigation found no broad tenant-wide abuse, indicating the campaign was narrowly scoped rather than a noisy, indiscriminate compromise. In response, Notepad++ migrated its release infrastructure and implemented client-side measures to validate update authenticity, closing the vector the attackers exploited. The episode underscores a recurring reality: supply chain risk frequently originates outside application code, at the infrastructure and delivery layers. For operators of widely distributed software, especially free and open projects that rely on third-party hosting, the attack exposes a blind spot where trust in intermediaries can be weaponized. Detection was delayed by the precision of targeting and by the attacker’s use of legitimate update channels, which complicates forensic timelines and attribution. The case reinforces the need for end-to-end integrity checks, strict key management for update signing, and continuous validation of hosting security to prevent similar interception paths in the future.

PREMIUM ANALYSIS

Read Our Expert Analysis

Create an account or login for free to unlock our expert analysis and key takeaways for this development.

By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.

Free Access

No Payment Needed

Join Thousands of Readers

Recommended for you

Cybersecurity

Polyfill.io Compromise Linked to North Korean Operators, Impacting 100k+ Sites

Forensic artifacts (LummaC2 sample and harvested CDN/DNS credentials) tie the 2024 Polyfill.io library compromise to operators aligned with North Korea; investigators warn the incident exemplifies a broader trend of supply‑chain abuse that pairs credential theft, control‑plane takeover, and resilient off‑platform monetization to convert web traffic into crypto flows.

Cybersecurity

Compromised eScan Update Server Delivered Multi-Stage Malware to Users

Security researchers found that attackers pushed a malicious update through an official eScan update server on January 20, 2026, installing a multi-stage infection on both consumer and enterprise endpoints. eScan isolated affected servers, took them offline for over eight hours, and issued a manual cleanup utility while disputing aspects of the public disclosure.

Cybersecurity

Dell RecoverPoint Zero-Day Exploited by China-Linked Cyberespionage Group

A China-linked espionage cluster abused a hardcoded-credential flaw in Dell RecoverPoint for Virtual Machines to escalate privileges, move laterally, and deploy bespoke malware; Dell released patch 6.0.3.1 HF1 and vendors published IoCs and behavioral indicators. The incident underscores a broader trend of rapid weaponization of management and recovery tooling, forcing organisations to pair urgent patching with compensating network controls and extended telemetry into virtualization stacks.

Cybersecurity

TeamPCP's CanisterWorm: npm Supply-Chain Compromise with Iran-Targeted Wiper

A self‑propagating worm, tracked as CanisterWorm, spread through npm packages and CI/CD pipelines to harvest credentials and push poisoned artifacts; researchers removed malicious packages after tracing a distribution chain tied to earlier tooling compromises. The implant contains an environment‑aware destructive module (Kamikaze) that activates destructive routines under Iran‑specific cues while otherwise focusing on persistence and exfiltration, exposing systemic gaps in artifact provenance, package‑manager logic, and control‑plane credential hygiene.

Cybersecurity

Chinese-linked APT exploits zero-day and rootkits against Singapore telcos

A China-linked advanced persistent threat group targeted all four major Singapore telecommunications operators last year, using a firewall zero-day and rootkits to gain limited footholds. Authorities report no service outages or confirmed data theft so far, and are coordinating containment, remediation, and strengthened monitoring across the sector.

Cybersecurity

TeamT5 ThreatSonar vulnerability exploited; CISA adds flaw to KEV list

CISA added a high-severity vulnerability in TeamT5’s ThreatSonar (CVE-2024-7694) to its Known Exploited Vulnerabilities catalogue and required federal remediation by March 10, 2026. The bug allows unsafe file uploads that can be chained with elevated privileges to achieve remote command execution; a vendor patch was issued in August 2024 but evidence of in‑the‑wild exploitation has been reported.

Cybersecurity

Google: Multiple APTs and crime syndicates widely exploited a critical WinRAR flaw

Google Threat Intelligence Group says a high-severity WinRAR vulnerability (CVE-2025-8088) has been actively abused for months by both nation-state actors and financially motivated groups. Attackers leveraged crafted RAR archives and hidden alternate data streams to place persistent payloads — affecting government, military, technology, travel, and banking targets globally.

Cybersecurity

CERT-In alerts users to high-risk flaws in Apple Pages/Keynote and Google Chrome; apply patches now

India’s national cybersecurity agency has identified exploitable vulnerabilities in Apple Pages/Keynote and Google’s desktop Chrome that could allow data disclosure or remote code execution. Vendors issued fixes in late January 2026; organisations should prioritise deploying those updates immediately and treat them in the context of a broader trend of vendor emergency patches for document- and API-handling flaws.