Notepad++ supply chain attack: Researchers reveal details, IoCs, targets
Rapid7-linked research says the Notepad++ update mechanism was hijacked in targeted fashion and attributed to the China-linked group Lotus Blossom. The reporting emphasizes that the compromise was in update delivery infrastructure rather than a code flaw, which is a reminder that “trusted” software can be turned against you upstream. The practical takeaway is to verify you are on a fixed Notepad++ version, review any published IoCs where feasible, and treat unexpected updater activity as a high-signal lead for endpoint triage.
Critical React Native Vulnerability Exploited in the Wild
This covers in-the-wild exploitation of the “Metro4Shell” issue in React Native’s Metro development server, with attackers abusing exposed dev servers to reach remote command execution. A key point is that default or careless binding to external interfaces can turn dev tooling into an internet-facing attack surface. If you have React Native build and test infrastructure, the priority is to confirm Metro is not exposed, patch or upgrade as advised, and hunt for suspicious POST activity consistent with exploitation.
Critical Ivanti Endpoint Manager Mobile (EPMM) zero-day exploited in the wild (CVE-2026-1281 & CVE-2026-1340)
Rapid7 reports active exploitation of a critical Ivanti EPMM issue (CVE-2026-1281), alongside a second critical flaw (CVE-2026-1340) discussed in the same advisory stream. The post focuses on what is known versus unknown about exploitation, plus remediation guidance that includes applying vendor fixes and assuming exposed instances are at heightened risk. If you run EPMM, treat this as an emergency patch and verification cycle, including checking for signs of post-exploitation and tightening external exposure where possible.
Malicious Chrome extensions can spy on your ChatGPT chats
Researchers identified a set of malicious browser extensions that steal session tokens, enabling account hijack and access to conversation history and related metadata. The story is another example of “looks legit in the store” not being a sufficient control, especially when extensions request broad permissions. Practical actions include auditing extension inventories, removing unneeded add-ons, and using enterprise allowlisting for corporate browsers where feasible.
Marquis confirms data breach, point finger of blame at SonicWall firewall
Fintech vendor Marquis confirmed a ransomware incident with sensitive customer data impacted and publicly suggested a link to SonicWall firewall risk. The piece highlights the downstream damage that can follow firewall or perimeter control failures, especially for vendors serving many financial institutions. If you have dependencies on Marquis or similar providers, this is the kind of event that should trigger third-party risk follow-up, customer impact assessment, and verification of compensating controls while facts continue to emerge.
Strengthening supply-chain security in Open VSX
Open VSX is moving toward pre-publish security checks for extensions, starting with a monitoring period before enforcement. This is a direct response to the steady stream of extension and package ecosystem abuse, where attackers rely on distribution channels more than software vulnerabilities. For teams that use VS Code compatible extensions at scale, the broader lesson is to standardize extension sources, implement allowlists, and reduce ad hoc installs that bypass governance.
