Apt

The recent Notepad++ supply chain compromise shows how even widely trusted, open-source tools become vectors for state-sponsored espionage when their distribution infrastructure falls into the wrong hands. This was a surgical, six-month operation that bypassed traditional code security controls by exploiting the update mechanism. What Happened and Where the SDLC Failed In 2025, Notepad++, a widely used open-source text editor, suffered a sophisticated supply chain attack. Chinese state-sponsored threat actors compromised the shared hosting provider in June, gaining control of the update distribution system. Even after losing direct server access in September following a kernel update, attackers maintained persistence through stolen credentials until December 2. The fixed version 8.8.9 with hardened update verification was released on December 9. ...