DATE: February 06, 2026 at 05:23PM
SOURCE: HEALTHCARE INFO SECURITY

Direct article link at end of text block below.

#ISMG Editors: #Notepad++ #SupplyChainAttack Raises Alarm: Also: #Healthcare #CyberRisks Collide, #Varonis Deal Signals #AISecurity Shifthttps://www.healthcareinfosecurity.com/ismg-editors-notepad-supply-chain-attack-raises-alarm-a-30695

Here are any URLs found in the article text:

https://www.healthcareinfosecurity.com/ismg-editors-notepad-supply-chain-attack-raises-alarm-a-30695

Articles can be found by scrolling down the page at https://www.healthcareinfosecurity.com/ under the title "Latest"

-------------------------------------------------

Private, vetted email list for mental health professionals: https://www.clinicians-exchange.org

Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.

-------------------------------------------------

#security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering

State-sponsored hackers compromised a beloved developer tool while AI platforms exposed millions of sensitive records.
#cybersecurity #supplychainattack #stateSponsored #botnet #databreach

https://cybernewsweekly.substack.com/p/cybersecurity-news-review-week-6-43e

Released a PowerShell IoC triage script for detecting the Notepad++ supply chain attack, including the previously known Rapid7 IoCs and now the newly released IoCs for chains 1 (ProShow) & 2 (Lua/Adobe) published by Securelist (https://securelist.com/notepad-supply-chain-attack/118708/):

https://github.com/moltenbit/NotepadPlusPlus-Attack-Triage

#cybersecurity #vulnerability #incidentresponse #notepadplusplus #supplychainattack

Morning, cyber pros! ☕ It's been a busy 24 hours with several critical vulnerabilities under active exploitation, new insights into nation-state tradecraft, and some important shifts in government cyber policy. Let's dive in:

Actively Exploited Vulnerabilities & Reconnaissance ⚠️
- Russian APT28 (Fancy Bear) is actively exploiting a recently patched Microsoft Office zero-day (CVE-2026-21509) in attacks against Ukrainian government entities and other EU organisations. They're using themed malicious DOC files to install COVENANT malware, and sometimes MiniDoor or PixyNetLoader. Patching immediately is crucial; if not, implement registry-based mitigations.
- A critical RCE flaw (CVE-2025-11953) in React Native's Metro development server is under active exploitation, delivering Rust-based malware to Windows and Linux dev systems. Attackers are using the /open-url HTTP endpoint for arbitrary OS command execution, often disabling Microsoft Defender first. With ~3,500 exposed servers, developers should patch to version 20.0.0 or later immediately.
- CISA has flagged a critical SolarWinds Web Help Desk untrusted data deserialisation RCE flaw (CVE-2025-40551) as actively exploited, mandating federal agencies patch within three days. This allows unauthenticated attackers remote command execution. Admins should update to Web Help Desk 2026.1 without delay, as these products are frequent targets.
- A widespread reconnaissance campaign is targeting Citrix NetScaler infrastructure, using over 63,000 residential proxies to scan for login panels and enumerate product versions. This activity, observed between January 28 and February 2, suggests pre-exploitation mapping for known Citrix ADC weaknesses. Monitor for specific user agents, unusual access to /epa/scripts/win/nsepa_setup.exe, and outdated browser fingerprints.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/russian-hackers-exploit-recently-patched-microsoft-office-bug-in-attacks/
🗞️ The Record | https://therecord.media/russian-state-hackers-exploit-new-microsoft-flaw
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-use-critical-react-native-metro-bug-to-breach-dev-systems/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/03/critical_react_native_metro_server/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-flags-critical-solarwinds-rce-flaw-as-actively-exploited/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/wave-of-citrix-netscaler-scans-use-thousands-of-residential-proxies/

New Threat Research & Malware 🕵🏼
- Chinese state-linked APT group Lotus Blossom (aka Billbug) has been attributed with "moderate confidence" to the Notepad++ update hijacking. They exploited update infrastructure to deliver a new, sophisticated backdoor dubbed Chrysalis, using DLL sideloading, custom API hashing, and obfuscation.
- Users who downloaded suspicious Notepad++ updates between June and December 2025 should check for compromise and rotate credentials.
- A new GlassWorm malware campaign is targeting macOS systems via compromised OpenVSX extensions, stealing passwords, crypto-wallet data, and developer credentials. The threat actor compromised a legitimate developer's account to push malicious updates. Users of affected extensions should clean systems and rotate all secrets.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/notepad_hijacking_lotus_blossom/
📰 The Hacker News | https://thehackernews.com/2026/02/notepad-hosting-breach-attributed-to.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-glassworm-attack-targets-macos-via-compromised-openvsx-extensions/

Recent Cyber Attacks & Breaches 🚨
- Data storage giant Iron Mountain has confirmed a breach claimed by the Everest extortion gang, but states it was mostly limited to marketing materials. Attackers used a single compromised credential to access one folder on a public-facing file-sharing server, with no ransomware deployed or other systems breached.
- Separately, a new phishing scheme is harvesting Dropbox logins using multi-stage obfuscation, with fake PDF lures hosted on legitimate cloud services. The campaign is notable for its lack of conventional malware, focusing purely on credential theft and bypassing email authentication checks.
- This highlights the importance of strong credential management and user awareness, as sophisticated social engineering can bypass technical controls.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/iron-mountain-data-breach-mostly-limited-to-marketing-materials/
🚨 Dark Reading | https://www.darkreading.com/cloud-security/attackers-harvest-dropbox-logins-fake-pdf-lures

Regulatory Issues & Changes ⚖️
- The UK's Office of Financial Sanctions Implementation (OFSI) has opened its first investigation into suspected breaches of the country's cyber sanctions regime, involving up to five financial services firms. This follows expanded monitoring and investment in crypto investigation tools.
- This underscores increased scrutiny on compliance with sanctions against state-backed and financially motivated cyber actors, with potential civil penalties up to £1 million or 50% of the breach value.
- Microsoft Azure Storage has officially stopped supporting TLS 1.0 and 1.1, with TLS 1.2 now the minimum requirement, effective February 3, 2026. Organisations still relying on these deprecated, less secure protocols for legacy systems connecting to Azure Storage will no longer be able to connect.
🗞️ The Record | https://therecord.media/uk-investing-first-suspected-breach-cyber-sanctions
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/03/microsoft_tls_deprecations/

Government Cyber Policy & Staffing 🏛️
- The Trump administration's second term has seen CISA scale back its election security support, leading states to seek internal funding and resources. Cuts to CISA's budget and staff, combined with a lack of dedicated congressional funding, have left states feeling isolated.
- This shift necessitates states developing more self-reliant strategies for election cybersecurity, despite CISA's claims of continued support.
- National Cyber Director Sean Cairncross is advocating for reduced cybersecurity regulatory burdens on industry and increased cooperation, urging industry feedback on friction points. He also called for industry support to pass a 10-year extension of the Cybersecurity Information Sharing Act of 2015.
🤫 CyberScoop | https://cyberscoop.com/cisa-election-security-cutbacks-states-trump-administration/
🤫 CyberScoop | https://cyberscoop.com/sean-cairncross-industry-cut-cybersecurity-regulations-renew-cisa/

Everything Else 🌐
- The AI-powered personal assistant project OpenClaw (formerly Clawdbot/Moltbot) is being described as a "security dumpster fire" due to multiple high-impact vulnerabilities, including one-click RCE and command injection flaws. Hundreds of malicious "skills" have been found, some stealing cryptocurrency.
- Users are warned against running OpenClaw on their machines due to significant security risks and unexpectedly high API costs from inefficient operations.
- Polish authorities have arrested a 20-year-old man suspected of operating a multi-layered botnet to conduct DDoS attacks on "numerous popular websites," including those of strategic importance globally.
- Recent major cloud outages underscore the critical impact on identity systems, which act as "gatekeepers" for all modern applications and services. Traditional regional high availability is often insufficient, necessitating multi-cloud strategies or on-premises alternatives and graceful degradation planning for identity architectures.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/03/openclaw_security_problems/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/03/polish_cops_ddos_arrest/
📰 The Hacker News | https://thehackernews.com/2026/02/when-cloud-outages-ripple-across.html

#CyberSecurity #ThreatIntelligence #APT #Ransomware #Vulnerability #ZeroDay #RCE #SupplyChainAttack #Malware #InfoSec #IncidentResponse #CloudSecurity #ElectionSecurity #CyberPolicy #AI #DDoS

Alright team, it's been a busy 24 hours in the cyber world with significant updates on supply chain attacks, actively exploited zero-days, evolving threat actor tactics, and a few stark reminders about fundamental security hygiene. Let's dive in:

Recent Cyber Attacks & Breaches ⚠️

Notepad++, eScan, and Open VSX Hit by Supply Chain Attacks
- The popular Notepad++ text editor's update mechanism was hijacked for six months by a suspected Chinese state-sponsored group (Lotus Blossom/Billbug), redirecting select users to malicious servers to deliver custom backdoors.
- eScan Antivirus update servers were compromised, distributing multi-stage malware globally by replacing a legitimate 'Reload.exe' with a rogue, unsigned version that disabled updates and fetched further payloads.
- A supply chain attack on the Open VSX Registry saw a legitimate developer's account compromised to push malicious updates embedding the GlassWorm malware loader, designed to steal macOS credentials and crypto wallet data, notably avoiding Russian locales.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/notepad_plusplus_intrusion/
📰 The Hacker News | https://thehackernews.com/2026/02/notepad-official-update-mechanism-hijacked-to-deliver-malware-to-select-users.html
🤫 CyberScoop | https://cyberscoop.com/china-espionage-group-lotus-blossom-attacks-notepad/
📰 The Hacker News | https://thehackernews.com/2026/02/escan-antivirus-update-servers-compromised-to-deliver-multi-stage-malware.html
📰 The Hacker News | https://thehackernews.com/2026/02/open-vsx-supply-chain-attack-used-compromised-dev-account-to-spread-glassWorm.html

NationStates, Panera Bread, and a Belgian School Suffer Breaches
- The browser game NationStates confirmed a data breach after a player exploited an RCE vulnerability in a new feature, gaining access to the production server and copying user data including email addresses and MD5 password hashes.
- Panera Bread's data breach, attributed to the ShinyHunters extortion gang via a vishing campaign targeting Microsoft Entra SSO, impacted 5.1 million unique accounts, exposing names, phone numbers, and physical addresses.
- A high school in Antwerp, Belgium, OLV Pulhof, was hit by cybercriminals (falsely claiming to be LockBit) who attempted to extort the school for €15,000, and upon refusal, directly targeted parents for €50 per child, threatening data leaks.
- The anti-ICE alert service StopICE reported a server attack, blaming a US Customs and Border Protection agent for sending alarming text messages to users, though admins state no personal data (names, addresses, GPS) was stored or compromised.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/nationstates-confirms-data-breach-shuts-down-game-site/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/panera-bread-data-breach-impacts-51-million-accounts-not-14-million-customers/
🗞️ The Record | https://therecord.media/hackers-attempt-to-extort-parents-after-school-refuses-ransom-demand
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/stopice_alerts_hacked/

Vulnerabilities & Active Exploitation 💥

APT28 Actively Exploiting New Microsoft Office Zero-Day
- Russia-linked APT28 (UAC-0001/Fancy Bear) is actively abusing CVE-2026-21509, a Microsoft Office security feature bypass zero-day, targeting Ukrainian government agencies and EU organisations.
- The attack chain involves malicious DOC attachments that, when opened, initiate a WebDAV connection to download a shortcut file, leading to DLL sideloading, shellcode deployment, and persistence via COM hijacking and scheduled tasks.
- The campaign deploys the COVENANT post-exploitation framework, routing traffic through legitimate cloud storage to evade detection, with CERT-UA urging monitoring or blocking of Filen-related traffic.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/russialinked_apt28_microsoft_office_bug/

OpenClaw/Moltbot RCE and Database Exposure Patched
- A one-click RCE exploit chain was discovered in OpenClaw (formerly Moltbot/ClawdBot), allowing attackers to gain control by exploiting a cross-site WebSocket hijacking vulnerability due to a lack of origin header validation.
- The exploit, which takes milliseconds, could allow an attacker to retrieve authentication tokens, disable sandboxing, and execute privileged operations via node.invoke requests after a user visits a malicious webpage.
- Separately, the Moltbook social media network for AI agents, associated with OpenClaw, had its database exposed, making secret API keys freely accessible and potentially allowing attackers to post as high-profile AI agents.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/openclaw_security_issues/

New Threat Research on Threat Actors/Malware 🕵🏼

North Korean Labyrinth Chollima Splits into Specialised Entities
- The prolific North Korean cyber threat group Labyrinth Chollima has evolved into three distinct, coordinated entities: Golden Chollima, Pressure Chollima, and the original Labyrinth Chollima.
- Golden Chollima focuses on small-value cryptocurrency and fintech thefts in regions like the US, Europe, and South Korea, while Pressure Chollima handles high-profile financial and crypto heists, showcasing advanced technical capabilities.
- The original Labyrinth Chollima now exclusively targets malware-driven espionage against defence and manufacturing sectors, with Crowdstrike warning organisations in these sectors to be vigilant against DPRK social engineering, especially employment-themed lures and trojanised software.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/01/opensource_ai_is_a_global/

Malicious OpenClaw/Moltbot Skills Deliver NovaStealer
- Over 230 malicious "skills" (plugins) for the OpenClaw AI assistant were published on its official registry and GitHub, impersonating legitimate utilities to deliver information-stealing malware.
- The infection occurs when users follow documentation instructions to run a fake 'AuthTool,' which on macOS is a base64-encoded shell command downloading NovaStealer, and on Windows, a password-protected ZIP archive.
- NovaStealer targets a wide array of sensitive data, including cryptocurrency exchange API keys, wallet files, seed phrases, browser wallet extensions, macOS Keychain data, browser passwords, SSH keys, and cloud credentials.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/malicious-moltbot-skills-used-to-push-password-stealing-malware/

Threat Landscape & Industry Commentary 📈

Open-Source AI: A Global Security Monoculture
- Researchers warn that open-source AI deployments, particularly Ollama instances, are forming a global monoculture, with 175,108 hosts found exposed across 130 countries, largely running similar models and configurations.
- This homogeneity means a single vulnerability in how specific quantized models handle tokens could simultaneously affect a substantial portion of the exposed ecosystem, leading to widespread exploitation.
- Many exposed instances have tool-calling capabilities via API, vision capabilities, and uncensored prompt templates lacking safety guardrails, posing risks of resource hijacking, remote execution, and identity laundering if not treated as critical infrastructure with proper authentication, monitoring, and network controls.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/01/opensource_ai_is_a_global/

Infrastructure Cyberattacks Are on the Rise
- Cyberattacks on critical infrastructure are becoming more prevalent and integrated into military strategies, as seen in attempts to disrupt the Polish grid and the US-attributed power outages in Caracas during a military operation.
- The "democratisation" of attack technologies, with open-source tools like Shodan and resources like MITRE ATT&CK, has made infrastructure attacks more accessible beyond nation-state specialisation.
- While such attacks can cause short-term disruption and confusion, their effectiveness for political extortion or as singular game-changers is limited, highlighting the need for increased awareness, spending on resilience, and clear national policies on responses.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/energy_infrastructure_cyberattacks/

"Move Fast and Break Things" Culture Undermines Supply Chain Security
- The "move fast and break things" development culture has led to vulnerable applications and services, making supply chain attacks a primary concern, as demonstrated by incidents like Microsoft Sharepoint and Ivanti VPN exploits, and the Trust Wallet breach.
- Attackers increasingly target older applications with legacy code vulnerabilities and complex cloud platforms by compromising third-party integrations, software dependencies, and poorly managed APIs.
- To counter this, software publishers must prioritise security by adopting "zero vulnerability" goals, testing compiled binaries, and embracing transparency through Software Bills of Materials (SBOMs, MLBOMs, SaaSBOMs) to ensure secure and resilient technology.

🤫 CyberScoop | https://cyberscoop.com/move-fast-break-things-cybersecurity-supply-chain-security-op-ed/

Data Privacy & Best Practices 🔒

Booz Allen Hamilton Loses Treasury Contracts Over Data Leak
- The US Treasury Department has terminated 31 contracts with consulting firm Booz Allen Hamilton, totaling $4.8 million annually, citing the company's failure to implement adequate safeguards for sensitive taxpayer data.
- This decision follows a former BAH employee, Charles Littlejohn, pleading guilty to stealing and leaking confidential tax returns of high-profile US citizens, including Donald Trump and Elon Musk, between 2018 and 2020.
- The incident underscores the severe consequences for contractors who fail to protect sensitive government data, highlighting the critical need for robust internal security controls and data handling policies.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/01/opensource_ai_is_a_global/

McDonald's Urges Better Password Hygiene
- McDonald's Netherlands used "Change Your Password Day" to highlight poor password practices, noting that terms like "bigmac" and its leetspeak variants appear over 110,000 times in compromised password corpuses.
- The campaign, including public advertisements, warns against using easily guessable product names or simple character substitutions (e.g., Ch!ck3nMcN4gg€t$) as these are easily brute-forced by attackers.
- This serves as a reminder for all users, not just "normies," to adopt stronger password practices, such as long passphrases, randomised passwords, password managers, and multi-factor authentication, to counter widespread cybercriminal reliance on weak credentials.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/mcdonalds_password_advice/

Regulatory & Policy Changes 📜

Microsoft Begins NTLM Phase-Out to Kerberos
- Microsoft has initiated a three-phase plan to phase out the legacy NTLM authentication protocol in Windows environments, aiming to shift towards more secure, Kerberos-based options.
- NTLM, deprecated in June 2024 due to its susceptibility to replay, relay, and man-in-the-middle attacks, is still prevalent in enterprise environments due to legacy dependencies, posing significant security risks.
- The transition involves enhanced NTLM auditing (Phase 1, available now), addressing migration roadblocks with features like IAKerb and local KDC (Phase 2, H2 2026), and finally disabling NTLM by default in future Windows Server and client versions (Phase 3), requiring explicit re-enablement.

📰 The Hacker News | https://thehackernews.com/2026/02/microsoft-begins-ntlm-phase-out-with.html

#CyberSecurity #ThreatIntelligence #SupplyChainAttack #ZeroDay #RCE #APT #Malware #Ransomware #DataBreach #InfoSec #IncidentResponse #Vulnerability #AI #CriticalInfrastructure #PasswordSecurity #NTLM #Kerberos #Pentesting

Notepad++: Wenn das Update-Versprechen zum Trojanischen Pferd wird

https://techupdate.io/sicherheit/notepad-wenn-das-update-versprechen-zum-trojanischen-pferd-wird/50917/

#technews #cybersecurity #softwareupdate #notepad #supplychainattack

📰 Open-Source Malware Skyrockets by 75%, Sonatype's 2026 Report Warns

Sonatype's 2026 report reveals a shocking 75% surge in open-source malware, with 1.2M+ malicious packages found. AI-driven development is accelerating both innovation and risk. 📈 #SupplyChainAttack #OpenSource #DevSecOps #Malware

🔗 https://cyber.netsecops.io/articles/sonatype-2026-report-open-source-malware-surges-75-percent/?utm_source=mastodon&utm_medium=social&utm_campaign=twitter_auto