Notepad++ Supply Chain Compromised; Patch Ivanti EPMM for Exploited Critical Flaws; OpenClaw Security Issues Continue

Don Ho, maintainer of open-source text and code editing program Notepad++, announced on February 2, 2026, that a state-sponsored threat actor had compromised the software's update supply chain for almost six months. "The exact technical mechanism remains under investigation, though the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself." Investigation by the hosting provider suggests that the threat actor began hijacking update traffic in targeted attacks in June 2025, and the third-party shared hosting server remained compromised until a kernel and firmware update on September 2. Attacks continued until November 10, as the attackers still held credentials to internal services until December 2. Ho first disclosed updater traffic being redirected to malicious servers on December 9, adding that in Notepad++ v8.8.9, the application and updater "have been hardened to verify the signature & certificate of downloaded installers during the update process." Notepad++ facilitated communication between the hosting provider and an incident response (IR) team to implement an IR plan proposed by a consulting cybersecurity expert. Ho recommends manually downloading and installing v.8.9.1, also noting that "the Notepad++ website has been migrated to a new hosting provider with significantly stronger security practices. Within Notepad++ itself, WinGup (the updater) was enhanced in v8.8.9 to verify both the certificate and the signature of the downloaded installer. Additionally, the XML returned by the update server is now signed (XMLDSig), and the certificate & signature verification will be enforced starting with upcoming v8.9.2."

Ivanti published a security advisory on January 29, 2026, disclosing and releasing patches for two critical flaws in Endpoint Manager Mobile (EPMM) that are currently under exploitation. CVE-2026-1281 and CVE-2026-1340 both carry CVSS score 9.8, and both allow an unauthenticated attacker to achieve remote code execution through code injection. CVE-2026-1281 was added to the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog (CISA KEV) with a patch deadline of February 1, only three days from cataloging. EPMM is the only Ivanti product affected by the flaws; Ivanti Endpoint Manager (EPM) is a different product and is unaffected, and any customers using an Ivanti cloud product with Sentry are not impacted. Customers should follow Ivanti's instructions and syntax to properly apply the RPM patch script appropriate to their system: one is for versions 12.x.0.x (up to and including 12.7.0.x) and another for versions 12.x.1.x (up to and including 12.6.1.0). While the permanent fix for these flaws will be included in 12.8.0.0, in the meantime users should be aware that "the RPM script does not survive a version upgrade. If after applying the RPM script to your appliance, you upgrade to a new version you will need to reinstall the RPM." Ivanti also notes, "The most conservative approach, regardless of exploitation, would be to build a replacement EPMM and then migrate data to the device." Reliable atomic indicators of compromise are not available at the time of this writing, but Ivanti offers a regular expression for analyzing httpd log files.

The OpenClaw (formerly known as ClawdBot and MoltBot) open source AI assistant continues to face security issues, including a one-click remote code execution issue discovered by depthfirst founding security researcher Mav Levin, who writes that he chained a critical flaw discovered by depthfirst General Security Intelligence with a vulnerability he discovered into a one-click remote code execution (RCE) exploit. The vulnerability has been patched. Other security issues include the OpenClaw-related MoltBook social media network for AI agents, which was found to have its database, including secret API keys, publicly exposed. That issue has also been addressed. The very nature of the project presents its own list of security concerns, including the exposure of accounts via the AI assistant that has system control; prompt injections; misconfigurations; hallucinations; and malicious skills and integrations.

Individuals affected by a November 2024 data breach of healthcare technology company TriZetto Provider Solutions (TPS) will receive notification letters from TPS starting in February 2026. TPS is a vendor of SaaS programs and platforms that handle a wide range of data and administration for medical providers and patients, including health insurance, healthcare, and billing information. Healthcare providers in multiple US states were made aware of the breach in December 2025 and have been sending their own notifications in the meantime, per the requirement that a HIPAA-covered entity informed of a breach at a business associate must notify affected individuals within 60 days. After discovering unusual activity in one of its web portals on October 2, 2025, TPS eliminated the threat, engaged assistance from Mandiant, notified law enforcement, and began an investigation, determining that between November 2024 and October 2, 2025, an unauthorized actor accessed historical eligibility reports stored on the TPS system that contained protected health information (PHI) belonging to over 700,000 patients and policyholders. The compromised data vary by individual but may include "address, date of birth, Social Security number, health insurance member number (in some cases, Medicare beneficiary number), health insurer name, information about the primary insured or beneficiary, and other demographic health and health insurance information." At least three class-action lawsuits are being brought against TPS's parent company, Cognizant, for failures to protect personal information and to disclose the breach in a timely manner.

Two weeks ago, researchers at Morphisec "identified an active supply chain compromise affecting MicroWorld Technologies’ eScan antivirus product." The incident resulted in eScan's update infrastructure serving malicious updates. Morphisec detected the malicious update package and blocked the malicious activity on customer endpoints on January 20, 2026. The following day, Morphisec notified eScan developer MicroWorld Technologies. The Morphisec write-up includes indicators of compromise (IoCs). eScan reported that they also detected the malicious activity on January 20 and took their global update system offline for more than eight hours. The incident reportedly "resulted from unauthorized access to regional update server infrastructure."

Microsoft has announced a schedule for phasing out its New Technology LAN Manager (NTLM) authentication protocol and moving toward stronger, Kerberos-based alternatives. Because it employs weak cryptography, NTLM is vulnerable to replay and man-in-the-middle attacks. Microsoft deprecated NTLM in June 2024, meaning it is no longer updated or enhanced, although it continues to be used "in environments where modern protocols, such as Kerberos, are not feasible due to legacy dependencies, network limitations, or ingrained application logic." The three-phased plan aims to disable NTLM by default in Windows and Windows Server environments. Phase 1, enhanced NTLM auditing, is available now; it "helps ... organization[s] understand exactly where and why NTLM is still being used in [their] environment[s]." Phase 2, which will be available in the second half of 2026, will address the "top NTLM pain points." In Phase 3, NTLM will be disabled by default in the next major Windows Server and associated Windows client releases; at that point, "NTLM usage will require explicit re-enablement through new policy controls."

CERT Polska has published an Energy Sector Incident Report regarding the December 29, 2025 cyberattacks targeting the country's energy sector. The attacks are described as being "destructive in nature." The report says the attacks affected at least 30 wind and solar farms "result[ing] in a loss of communication between the facilities and distribution system operators (DSOs)" but not disrupting energy generation. The attacks also affected a large combined heat and power (CHP) plant, where the "objective of the sabotage was the irreversible destruction of data stored on devices within the organization’s internal network, achieved through the execution of the wiper malware ... [and] was preceded by a long‑term infiltration of the infrastructure and the theft of sensitive information related to the organization’s operations." The attacks also targeted a company in the manufacturing sector; CERT indicates that "the target was opportunistic in nature and not linked to the other affected organizations." The report describes the attack vectors and initial access the threat actors used, and offers a list of indicators of compromise (IoC).

Dell Technologies has released updates to address four vulnerabilities in Dell Unity, Dell UnityVSA, and Dell Unity XT. CVE-2026-21418 and CVE-2026-22277 are both high-severity OS command injection vulnerabilities that affect proprietary Dell code. The other two vulnerabilities affect third-party components: CVE-2024-47875 is a critical cross-site scripting issue in DOMPurify, and CVE-2025-0938 is a medium-severity improper input validation issue in the urllib.parse.urlsplit and urlparse Python library functions. Users are urged to update to version 5.5.3 or later of the Dell Unity Operating Environment.

The US National Institute of Standards and Technology's National Cybersecurity Center of Excellence (NIST NCCoE) has published a draft cybersecurity framework for the transportation sector. The Transit Cybersecurity Framework Community Profile notes that the transportation sector comprises "complex networks of business and operational systems, such as rail signaling, bus charging, scheduling, ticketing, and public information systems." The document "focuses on three strategic priorities: securing and managing critical assets to ensure safe and reliable operations, fostering collaboration with stakeholders and suppliers to enhance resilience and supply chain security, and continuously improving organizational processes and workforce cybersecurity awareness and capabilities." NIST is seeking feedback on the document, particularly about whether it "appropriately reflect[s] the cybersecurity challenges and priorities of the transit community." Public comment is open through February 23, 2026.

Panera Bread, Bumble, Match Group, and CrunchBase confirmed data breaches in statements to news sources during the last week of January 2026; none of the companies has filed an official report at the time of this writing. *Panera* stated that contact information had been compromised, and Troy Hunt's "Have I Been Pwned" analysis of the leaked files indicates that the breach affects approximately 5.1 million accounts; the number initially reported was 14 million, which actually represents the total number of records, not unique accounts. *Bumble* stated that an unauthorized user accessed their network using a contractor's account compromised via phishing, and that upon detection the company eliminated the access, engaged cybersecurity experts, and notified law enforcement. Bumble states that the hacker did not access the member database, member accounts, direct messages and profiles, or the app itself. *Match Group*, which owns Match.com, Tinder, Hinge, and OkCupid, is individually notifying customers whose user data were accessed in a security incident. The company terminated the unauthorized access and is investigating alongside external cybersecurity experts; "there is no indication that user login credentials, financial information, or private communications were accessed," and Match Group has stated that company Google Drive and Dropbox accounts were also unaffected. *CrunchBase* confirmed that upon detecting unauthorized access to their corporate network, the company contained the incident, engaged cybersecurity experts, and contacted federal law enforcement. "Certain documents" were exfiltrated from the corporate network, but business operations have not been affected.