Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiebvayl47p2nta6mgsaxuehpdsw62iepq6qjvxlc2hjmaj6dkqufe",
    "uri": "at://did:plc:7vacwiv4432xhhagpfni4cjw/app.bsky.feed.post/3meolpja5rx62"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreihlseqmt2bclj3yxcsl7hfn26v2p4uo2hn2flja5rlmitmdiy36ly"
    },
    "mimeType": "image/jpeg",
    "size": 316764
  },
  "description": "Software supply chain attacks more than doubled in 2025, with developer workstations identified as high-value targets across multiple industry reports (ReversingLabs, 2026). In the first two weeks of February 2026, two completely unrelated security incidents hit two different text editors both called \"Notepad,\" exposing how the tools developers trust most are becoming the tools attackers exploit first.\n\nOne was a state-sponsored supply chain compromise that ran undetected for six months. The oth",
  "path": "/notepad-attacks-developer-tools/",
  "publishedAt": "2026-02-12T18:11:24.000Z",
  "site": "https://blog.cyberdesserts.com",
  "tags": [
    "Subscribe to CyberDesserts",
    "Notepad++ Compromised for 6 Months: Check Your Version Now",
    "npm security and package vulnerabilities",
    "full Notepad++ coverage",
    "Gartner supply chain security retrospective",
    "npm security guide",
    "_Notepad++ Compromised for 6 Months_",
    "_npm Security: The Complete Guide_",
    "_Gartner Supply Chain Retrospective_"
  ],
  "textContent": "Software supply chain attacks more than doubled in 2025, with developer workstations identified as high-value targets across multiple industry reports (ReversingLabs, 2026). In the first two weeks of February 2026, two completely unrelated security incidents hit two different text editors both called \"Notepad,\" exposing how the tools developers trust most are becoming the tools attackers exploit first.\n\nOne was a state-sponsored supply chain compromise that ran undetected for six months. The other was a feature-creep vulnerability that turned a simple text file into a remote code execution path. Together, they represent the two ways your developer toolchain becomes an attack surface: through the delivery mechanism and through the tool itself.\n\n**Get threat intelligence like this delivered to your inbox.** Subscribe to CyberDesserts for practical security insights, no fluff.\n\n## Incident 1: Notepad++ Update Server Hijacked for 6 Months\n\nA Chinese state-sponsored group compromised Notepad++ hosting infrastructure between June and December 2025, using it to deliver custom backdoors and Cobalt Strike payloads to targeted organisations.\n\nThe attackers did not exploit a vulnerability in Notepad++ code. They compromised the shared hosting provider and hijacked the update mechanism to serve malicious installers. Older versions of Notepad++ did not cryptographically verify that updates came from legitimate sources. That gap gave attackers a clean delivery channel to selected targets across government, finance, and IT sectors in Southeast Asia, Central America, and Australia.\n\nRapid7's MDR team discovered a previously undocumented backdoor they named Chrysalis during incident response. Kaspersky's GReAT team independently identified three distinct infection chains rotated roughly monthly to evade detection.\n\nThe full breakdown of indicators, affected versions, and detection guidance is in our detailed coverage: Notepad++ Compromised for 6 Months: Check Your Version Now.\n\n## Incident 2: Windows Notepad Markdown Feature Enables RCE\n\nTwo days after the Notepad++ story broke, Microsoft patched CVE-2026-20841, an 8.8-rated remote code execution vulnerability in the Windows Notepad app. Completely different software, completely different attack vector.\n\nMicrosoft added Markdown rendering to Notepad in 2025 as part of a broader modernisation push. That feature introduced clickable links, protocol handling, and content rendering behaviours that previously only existed in browsers and document viewers. The problem: Notepad failed to properly sanitise link content before passing it to the operating system for handling.\n\nAn attacker crafts a Markdown file with a malicious link. A user opens it in Notepad and clicks the link. Notepad hands an untrusted URI to the system, which launches associated handlers or processes without the standard Windows security prompts. Code executes with the logged-in user's permissions.\n\nProof-of-concept code is already public on GitHub. Microsoft's fix, delivered through the Microsoft Store as Notepad version 11.2510, adds a warning dialog for non-HTTP links rather than blocking them entirely. The legacy Notepad.exe bundled with Windows is not affected.\n\nThe vulnerability was reported by appsec engineer Cristian Papa, security researcher Alasdair Gorniak, and a researcher known as \"Chen.\" Microsoft confirmed no known exploitation in the wild at the time of patching.\n\n## Two Different Attacks, One Shared Lesson\n\nThese incidents are unrelated technically but connected strategically. Both exploit the implicit trust that developers and administrators place in their everyday tools.\n\nThe Notepad++ compromise targeted the **delivery mechanism**. Attackers did not need to find a bug in the software. They compromised the infrastructure that delivered it, weaponising the update process itself. This is the supply chain attack model: why pick one lock when you can poison the key distributor?\n\nThe Windows Notepad vulnerability targeted the **tool's expanded functionality**. Every new feature Notepad gained (Markdown rendering, clickable links, protocol handling) added attack surface that did not exist when it was a plain text editor. This is the feature-creep risk model: useful capabilities introduce security assumptions that nobody tested.\n\n**Ready to assess your own supply chain risk?** See our complete guide to npm security and package vulnerabilities for hands-on scanning and detection.\n\n## Developer Workstations Are the Blindspot\n\nSonatype's 2026 State of the Software Supply Chain report found over 1.2 million malicious open source packages in circulation, with npm as the dominant delivery channel. The Lazarus Group alone published more than 800 malicious packages in 2025, concentrated overwhelmingly in npm because it provides the fastest path from package publication to developer workstation.\n\nDeveloper machines sit at the intersection of everything attackers want. They hold source code, credentials, API tokens, cloud access keys, and deployment authority. They connect to package registries, internal repositories, CI/CD pipelines, and production environments. And they typically run with the most permissive network policies in the organisation because developers need access to dozens of external services to do their work.\n\nThe Notepad++ attackers understood this. Their C2 domains (cdncheck.it.com, safe-dns.it.com, api.wiresguard.com) were chosen specifically to blend into legitimate developer traffic. The Windows Notepad vulnerability exploits the same assumption from the opposite direction: Markdown files are documentation. Developers open documentation constantly. Nobody expects a README to execute code.\n\nReversingLabs' 2026 report documented attacks that specifically target developer tooling, including IDE extensions that steal credentials and survive reboots, compromised GitHub Actions that leak CI/CD secrets into public build logs, and maintainer account takeovers that push malicious updates through trusted channels.\n\nThe consistent pattern is attackers targeting the tools developers already use.\n\n## What Defenders Should Do This Week\n\n**For the Notepad++ compromise:**\n\nUpdate to version 8.9.1 by downloading directly from notepad-plus-plus.org. Do not rely on the auto-updater if you are running an older version. Hunt for the indicators detailed in our full Notepad++ coverage, particularly temp.sh DNS queries and the whoami/tasklist/systeminfo/netstat command sequence in endpoint logs.\n\n**For CVE-2026-20841:**\n\nVerify your Windows Notepad version is 11.2510 or later through the Microsoft Store. If your organisation does not manage Store app updates centrally, this patch may not reach endpoints automatically. Consider blocking or flagging .md file attachments at email gateways. Tune EDR rules to alert on Notepad spawning child processes or making outbound network connections.\n\n**For the bigger picture:**\n\nAudit your developer workstation security posture. These two incidents highlight that developer endpoints need the same (or stricter) security controls as any other endpoint in the network. Review egress policies, enforce zero trust principles on developer segments, and ensure software update mechanisms across your toolchain use cryptographic verification.\n\nFor a deeper look at how supply chain attacks exploit developer trust relationships, see our Gartner supply chain security retrospective and the broader npm security guide.\n\n## Summary\n\nTwo text editors called \"Notepad\" hit the security news in the same week for entirely different reasons. One was compromised through its infrastructure. The other was compromised through its features. Both succeeded because developers trust their tools implicitly.\n\nSoftware supply chain attacks doubled in 2025. Over 1.2 million malicious packages are circulating in open source registries. Developer workstations are the fastest path from initial access to production compromise. These two incidents are not anomalies. They are the pattern.\n\nYour developer toolchain is part of your attack surface. Treat it that way.\n\n* * *\n\n_Last updated: February 2026_\n\n## References and Sources\n\n  1. **Rapid7 Labs**. (2026). _The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's Toolkit_. Technical malware analysis by Ivan Feigl documenting the backdoor delivered through compromised Notepad++ updates.\n  2. **Kaspersky GReAT**. (2026). _The Notepad++ Supply Chain Attack: Unnoticed Execution Chains and New IoCs_. Analysis by Georgy Kucherin and Anton Kargin documenting three infection chains.\n  3. **Microsoft Security Response Center**. (2026). _CVE-2026-20841 Security Advisory_. Vulnerability disclosure and patch guidance for Windows Notepad Markdown RCE. CVSS 8.8.\n  4. **Help Net Security**. (2026). _Windows Notepad Markdown feature opens door to RCE_. Coverage of CVE-2026-20841 including researcher attribution and exploitation details.\n  5. **Sonatype**. (2026). _2026 State of the Software Supply Chain Report_. Over 1.233 million malicious open source packages identified, with npm as dominant delivery channel. 9.8 trillion downloads across major registries.\n  6. **ReversingLabs**. (2026). _2026 Software Supply Chain Security Report_. Documentation of attacks targeting developer tooling, IDE extensions, and AI development pipelines. Open source malware up 73%.\n\n\n\n* * *\n\nSubscribe for Updates\n\nDeveloper tools are under attack from multiple directions. Subscribers get notified when new threats target the software development toolchain, plus weekly practical security content. No sales pitches, no fluff.\n\n* * *\n\n_This article is part of the supply chain security coverage. See also:__Notepad++ Compromised for 6 Months_ _|__npm Security: The Complete Guide_ _|__Gartner Supply Chain Retrospective_",
  "title": "Two Notepad Attacks in One Week: Your Tools Are the Target",
  "updatedAt": "2026-03-05T02:46:06.350Z"
}