CYBERSECURITY WEEKLY RECAP: Notepad++ Hijacked for 6 Months, ShinyHunters Escalate SaaS Extortion, Substack and Betterment Breached (Feb 1–6, 2026)
This week's biggest cybersecurity stories: Chinese state hackers hijacked Notepad++ updates for six months, ShinyHunters expand vishing-driven SaaS extortion, APT28 weaponizes a Microsoft Office patch in 48 hours, Substack exposes 700K users, Betterment breach hits 1.4M accounts, and CISA flags multiple actively exploited vulnerabilities.
Cybersecurity Weekly Recap: Feb 1–6, 2026
This was one of the most consequential weeks in cybersecurity this year. A Chinese state-sponsored group hijacked Notepad++ updates for six months. ShinyHunters launched an escalated vishing campaign targeting SaaS platforms across more than 100 organizations. Russia's APT28 reverse-engineered a Microsoft Office patch and weaponized it in 48 hours. Substack confirmed a breach exposing nearly 700,000 users. And Betterment's data breach scope ballooned to 1.4 million accounts.
Here is what happened, why it matters, and what you should do about it.
Supply chain attacks
Notepad++ Update Mechanism Hijacked by Chinese State Hackers for Six Months
The biggest supply chain story of the week. Notepad++ developer Don Ho confirmed on February 2 that state-sponsored attackers hijacked the text editor's update mechanism and selectively delivered malicious downloads to targeted users from June through December 2025.
The attackers compromised Notepad++'s shared hosting server, intercepted update traffic destined for notepad-plus-plus.org, and redirected specific users to attacker-controlled servers serving tampered installers. The attack exploited a gap in Notepad++'s updater (WinGUp), which did not verify the authenticity of downloaded files at the time.
Rapid7's investigation attributed the campaign to Lotus Blossom (APT31/Violet Typhoon), a Chinese state-sponsored espionage group. Kaspersky published additional analysis showing that over four months, the attackers constantly rotated C2 addresses, downloaders, and final payloads across three distinct infection chains. Targets included telecommunications and financial services organizations in East Asia, with security researcher Kevin Beaumont confirming "hands-on keyboard" recon activity at compromised organizations.
Notepad++ has since migrated to a new hosting provider, hardened the update process with certificate and signature verification in v8.8.9, and plans to enforce XML signature validation in v8.9.2.
The implications extend well beyond Notepad++. When legitimate update channels become attack vectors, the standard security advice to "keep software updated" creates vulnerability rather than protection.
Sources: BleepingComputer, The Hacker News, Hackread, Dark Reading, TechCrunch, Help Net Security, Kaspersky Securelist
Compromised dYdX npm and PyPI Packages Discovered
Security researchers identified compromised npm and PyPI packages associated with the dYdX decentralized exchange. The malicious packages could steal credentials and sensitive data from developers who installed them, continuing the trend of open-source ecosystem poisoning.
Source: The Hacker News
341 Malicious ClaHub Repositories and Open VSX Supply Chain Attack
Researchers discovered 341 malicious ClaHub repositories and documented a separate supply chain attack targeting Open VSX, the open-source Visual Studio Code extension marketplace. Developer tool ecosystems remain a primary target for attackers seeking to compromise downstream users at scale.
Sources: The Hacker News (ClaHub), The Hacker News (Open VSX)
eScan Antivirus Update Servers Compromised
eScan antivirus update servers were found to be compromised, potentially allowing attackers to distribute malicious updates through endpoint security software. When the tools designed to protect systems become the delivery mechanism for malware, the trust model for defensive infrastructure breaks down.
Source: The Hacker News
Eclipse foundation mandates pre-publish security checks
In a positive development for open-source security, the Eclipse Foundation announced mandatory pre-publish security checks for its ecosystem, a direct response to the escalating supply chain attack landscape.
Source: The Hacker News
Social engineering and extortion
ShinyHunters escalate vishing-driven SaaS extortion campaign
Google's Mandiant published a detailed report on February 2 tracking an expansion and escalation of ShinyHunters-branded extortion operations. Multiple threat clusters (tracked as UNC6661, UNC6671, and UNC6240) are using sophisticated voice phishing to steal SSO credentials and MFA codes, then pivoting into cloud-based SaaS environments to exfiltrate data for extortion.
The attack pattern is precise. Attackers call employees posing as IT staff, claim the company is updating MFA settings, and direct victims to credential-harvesting sites that mimic the target organization's login portal (typically formatted as [companyname]sso.com or [companyname]internal.com). Once they capture SSO credentials and MFA codes, they register their own device for MFA, giving themselves persistent access.
From there, the attackers move laterally through victim environments and target SaaS platforms including Microsoft 365, SharePoint, Slack, and OneDrive. They search specifically for documents containing terms like "confidential," "internal," "proposal," "vpn," and "salesforce," harvesting data for extortion leverage.
Mandiant documented infrastructure targeting more than 100 organizations across technology, fintech, financial services, healthcare, energy, logistics, and retail sectors. Named targets include Atlassian, Canva, Epic Games, HubSpot, Moderna, GameStop, Halliburton, Sonos, and Telstra. Confirmed victims include Panera Bread, SoundCloud, Match Group, and Crunchbase.
UNC6240 issues extortion demands using ShinyHunters branding, specifying stolen data details, a Bitcoin payment address, and a 72-hour deadline. In escalated cases, attackers harass victim personnel directly and launch DDoS attacks against victim websites.
This campaign is significant because it bypasses technical security controls entirely. The attackers exploit human trust, not software vulnerabilities. Organizations should consider implementing FIDO2 security keys, disabling SMS-based MFA, and conducting vishing-specific simulations rather than just email phishing tests.
Sources: Dark Reading, Google Mandiant
DEAD#VAX campaign deploys AsyncRAT via fileless execution
Securonix disclosed a stealthy multi-stage malware campaign dubbed DEAD#VAX that uses phishing emails impersonating legitimate businesses. The campaign delivers IPFS-hosted virtual hard disk (VHD) files disguised as PDFs. When opened, the VHD mounts as a virtual drive, presenting a Windows Script File that initiates a chain of heavily obfuscated batch scripts, PowerShell loaders, and in-memory shellcode injection to deploy AsyncRAT into trusted Windows processes.
The campaign never drops a decrypted binary to disk, making traditional detection extremely difficult. Anti-analysis checks include virtualization detection and minimum memory thresholds. The phishing emails scored zero detections on VirusTotal at the time of analysis.
Sources: The Hacker News, Securonix
Malicious moltbot skills push password-stealing malware
Attackers created malicious "skills" for the Moltbot platform (formerly ClawdBot) to distribute password-stealing malware. The campaign exploits the trust users place in AI coding assistant extensions.
Source: BleepingComputer
macOS users targeted by python infostealers posing as AI installers
macOS users were targeted by infostealer malware disguised as AI tool installers, exploiting widespread interest in AI applications. Microsoft also warned about Python-based infostealers using similar social engineering tactics.
Sources: Hackread, The Hacker News
Phishing campaigns exploit cloud platforms and fake PDFs
Researchers documented phishing campaigns leveraging trusted cloud platforms to bypass reputation-based email filters, as well as a separate campaign using fake PDF lures to steal Dropbox credentials. Both campaigns rely on legitimate infrastructure to make malicious content appear trustworthy.
Sources: Hackread, Hackread (Dropbox), Dark Reading
Zendesk spam wave returns
A renewed spam wave flooded Zendesk users with fake "activate account" emails, exploiting Zendesk's account creation workflow to deliver phishing through a trusted platform.
Source: BleepingComputer
Nation-State activity
APT28 weaponizes Microsoft Office patch in 48 hours
Russia-linked APT28 (Fancy Bear) reverse-engineered Microsoft's emergency patch for CVE-2026-21509, a security feature bypass in Microsoft Office (CVSS 7.8), and deployed working exploits within 48 hours.
Microsoft disclosed the vulnerability on January 26 with a warning it was already being exploited. By January 29, Zscaler ThreatLabz observed active exploitation in a campaign named Operation Neusploit targeting Ukraine, Slovakia, and Romania with weaponized RTF files crafted in local languages.
The attack chain splits into two paths. One delivers MiniDoor, a backdoor that modifies Outlook security settings and silently forwards victims' emails. The second deploys PixyNetLoader, which establishes persistence through COM hijacking, then uses steganography to extract shellcode hidden in PNG files and run a Covenant Grunt implant entirely in memory.
Trellix documented the campaign hitting defense ministries (40% of targets), transportation and logistics operators (35%), and diplomatic entities (25%) across nine countries. Two previously unseen backdoors, BeardShell and NotDoor, were also identified. CERT-UA confirmed more than 60 Ukrainian government email addresses were targeted.
CISA added CVE-2026-21509 to its Known Exploited Vulnerabilities catalog with a February 16 patch deadline for federal agencies. Any organization running unpatched Microsoft Office is exposed to an attack that requires nothing more than opening a document.
Sources: The Hacker News, Hackread, Dark Reading, BleepingComputer, Help Net Security, The Register
Chinese Mustang Panda targets diplomats with briefing-themed lures
Chinese state-linked threat group Mustang Panda was observed conducting espionage operations targeting diplomatic personnel using briefing-themed lure documents, continuing its established pattern of targeting foreign affairs entities.
Source: Hackread
New amaranth dragon cyberespionage group exploits WinRAR flaw
A newly identified cyberespionage group dubbed Amaranth Dragon, linked to China-aligned activity, was observed exploiting a WinRAR vulnerability for initial access in intelligence-gathering operations.
Sources: BleepingComputer, The Hacker News
Sanctioned bulletproof host operator hijacks home routers
A sanctioned bulletproof hosting operator was found hijacking old home routers to maintain infrastructure, demonstrating how threat actors adapt to takedown efforts by exploiting consumer devices that are rarely patched or monitored.
Source: Hackread
Data breaches
Substack confirms breach exposing nearly 700,000 users
Substack CEO Chris Best sent an email to users on February 5 confirming that an unauthorized third party accessed user data including email addresses, phone numbers, and internal metadata. The company identified the issue on February 3 and traced the unauthorized access back to October 2025, meaning the breach went undetected for four months.
Three days before the official notification, a BreachForums user posted a dataset claiming to contain 662,752 scraped Substack records. Analysis by Hackread revealed that several records belonged to active publishers, with publisher agreement timestamps, newsletter handles, bios, and profile images included. Stripe platform customer IDs appeared across entries, linking Substack accounts to Stripe customer objects and increasing the sensitivity of the dataset.
Passwords and financial data were not compromised. The primary risk for affected users is targeted phishing using specific account details.
Sources: Hackread, BleepingComputer, TechCrunch, The Record, SecurityWeek
Betterment breach exposes 1.4 Million accounts
The scope of the Betterment data breach became clearer when Have I Been Pwned added 1,435,174 unique records to its database on February 5. The breach originated from a social engineering attack targeting third-party marketing platforms, not Betterment's core infrastructure. The notorious ShinyHunters group claimed responsibility, alleging it gained access by voice phishing Betterment's Okta SSO codes.
Exposed data includes email addresses, names, geographic location data, and for some users, dates of birth, physical addresses, phone numbers, and device information. The attacker used compromised access to send fraudulent cryptocurrency promotion emails impersonating Betterment. CrowdStrike was engaged for the forensic investigation, which confirmed no customer accounts, passwords, or login credentials were compromised.
Sources: BleepingComputer, The Register, SecurityWeek, TechRepublic
Panera bread breach impacts 5.1 Million accounts
Panera Bread's breach was confirmed to affect 5.1 million accounts, with the revised scope reported this week.
Source: BleepingComputer
Coinbase confirms insider breach
Coinbase confirmed a breach linked to a compromised insider who leaked support tool screenshots, exposing internal tooling and potentially some customer interaction data.
Source: BleepingComputer
Iron mountain: breach limited to marketing materials
Iron Mountain disclosed a data breach characterized as mostly limited to marketing materials. Core customer data and records management systems were not affected.
Source: BleepingComputer
Step finance: compromised executive devices lead to $40M crypto theft
DeFi platform Step Finance disclosed that compromised executive devices led to a $40 million cryptocurrency theft, underscoring how executive account compromises can result in catastrophic losses for organizations handling digital assets.
Source: BleepingComputer
NationStates confirms breach, shuts down site
The online political simulation game NationStates confirmed a data breach and shut down its site in response.
Source: BleepingComputer
Mexican Government faces leak allegations
The Mexican government faced allegations of a significant data breach, though conflicting reports leave the scope and validity unclear.
Source: Dark Reading
Vulnerabilities and exploits
CISA flags critical solarWinds RCE as actively exploited
CISA ordered federal agencies to patch a critical remote code execution vulnerability in SolarWinds after confirming active exploitation.
Source: BleepingComputer
CISA: VMware ESXi flaw now exploited in ransomware attacks
A VMware ESXi vulnerability is being actively exploited in ransomware campaigns, allowing attackers to compromise virtualization infrastructure and encrypt entire environments.
Source: BleepingComputer
Five-year-old GitLab flaw resurfaces in active attacks
A GitLab vulnerability originally disclosed five years ago resurfaced in active attacks, prompting a CISA advisory. A reminder that unpatched legacy systems create attack surfaces long after fixes are available.
Source: BleepingComputer
Ivanti issues urgent fix for critical zero-day vulnerabilities
Ivanti released emergency patches for two critical zero-day vulnerabilities in Ivanti EPMM (CVE-2026-1281 and CVE-2026-1340), which allow remote code execution without authentication.
Source: Hackread
Critical n8n flaw (CVE-2026-25049) disclosed
A critical vulnerability in n8n, the workflow automation platform, could allow remote code execution in affected environments.
Source: The Hacker News
Google looker bugs enable cross-tenant RCE and data exfiltration
Vulnerabilities in Google Looker could enable cross-tenant remote code execution and data exfiltration, highlighting isolation failures in multi-tenant SaaS environments.
Source: Dark Reading
React2Shell and Metro4Shell exploits target web infrastructure
Attackers exploited React2Shell (CVE-2025-55182) to hijack web servers, and a separate Metro4Shell RCE flaw was also actively exploited. Both target widely deployed web frameworks.
Sources: The Hacker News (React2Shell), The Hacker News (Metro4Shell)
Wave of citrix netScaler scans using residential proxies
A wave of Citrix NetScaler scans using thousands of residential proxies was detected, indicating reconnaissance activity that could precede targeted exploitation.
Source: BleepingComputer
OpenClaw bug enables one-click RCE
A vulnerability in OpenClaw enables one-click remote code execution, adding to the growing list of application-level flaws being weaponized.
Source: The Hacker News
Ransomware and extortion
Romanian Oil Pipeline Operator Conpet Hit by Qilin Ransomware
Romanian oil pipeline operator Conpet disclosed a cyberattack attributed to the Qilin ransomware group. Attacks on energy infrastructure carry implications beyond data loss.
Source: BleepingComputer
Ransomware gang uses ISPsystem VMs for stealthy delivery
A ransomware group was observed using ISPsystem virtual machines as a delivery mechanism to evade detection, representing an evolution in deployment tactics.
Source: BleepingComputer
Spain's Ministry of Science shuts down systems
Spain's Ministry of Science shut down systems following breach claims, joining a growing pattern of European government entities taking aggressive containment measures.
Source: BleepingComputer
Italian University La Sapienza goes offline
La Sapienza University in Rome took systems offline following a cyberattack. European educational institutions continue to be high-value targets.
Source: BleepingComputer
CISA reveals hidden ransomware updates to KEV catalog
CISA has been adding ransomware-linked vulnerabilities to its Known Exploited Vulnerabilities catalog with less public fanfare than usual, raising questions about transparency in vulnerability disclosure.
Source: Dark Reading
Everest ransomware targets legacy polycom systems
The Everest ransomware group was found targeting legacy Polycom video conferencing systems for data theft, exploiting aging infrastructure that organizations often overlook in their security programs.
Source: Hackread
Infrastructure, platform, and server attacks
Nginx servers compromised for traffic redirection
Attackers compromised Nginx web servers and management panels to inject traffic redirection rules, routing visitors to malicious destinations. The attacks target server configurations rather than application-layer vulnerabilities.
Source: BleepingComputer
8-Minute AWS takeover using AI
Researchers demonstrated an AI-powered attack that compromises an AWS cloud environment in approximately eight minutes. The speed highlights how AI tooling is compressing the window between initial access and full environment compromise.
Sources: Hackread, Dark Reading
Attackers use screensavers to drop malware and RMM tools
Attackers delivered malware and remote monitoring tools through screensaver files, exploiting a file format most users do not associate with executable content.
Source: Dark Reading
GlassWorm malware targets developer ecosystems
A malware campaign dubbed GlassWorm was found targeting developer ecosystems, reinforcing the trend of attacks aimed at software development environments.
Source: Dark Reading
Fake high-yield investment scams surge globally
CTM360 reported a global surge in fake high-yield investment scams designed to steal financial data and funds from victims.
Source: BleepingComputer
Microsoft and platform updates
Microsoft begins NTLM phase-out
Microsoft has begun phasing out NTLM authentication, a legacy protocol long exploited in pass-the-hash and relay attacks. Organizations should begin migrating to Kerberos and modern authentication methods.
Source: The Hacker News
Microsoft to shut down exchange web services in 2027
Microsoft announced that Exchange Web Services (EWS) in its cloud environment will be discontinued by 2027. Organizations relying on EWS integrations should begin migrations to Microsoft Graph API.
Source: BleepingComputer
Microsoft rolls out native sysmon in Windows 11
Microsoft rolled out native Sysmon monitoring capabilities in Windows 11, making system monitoring previously available only as a standalone Sysinternals tool accessible out of the box.
Source: BleepingComputer
Microsoft develops LLM backdoor scanner
Microsoft announced a lightweight scanner designed to detect backdoors in open-weight large language models, addressing supply chain risks in AI model distribution.
Source: The Hacker News
Microsoft fixes disappearing password sign-in option
Microsoft resolved a bug causing the password sign-in option to disappear from the login screen, an issue that caused access disruptions for affected users.
Source: BleepingComputer
Apple introduces location tracking privacy feature
Apple introduced a new privacy feature limiting location tracking on iPhones and iPads, giving users more granular control over which apps can access their location data.
Source: BleepingComputer
AI and emerging threats
Claude Opus 4.6 identifies 500 high-severity bugs
Anthropic's Claude Opus 4.6 was reported to have identified 500 high-severity vulnerabilities, highlighting the accelerating role of AI in security research.
Source: The Hacker News
AISuruki/MWolf Botnet launches record attack
The AISuruki/MWolf botnet launched a record-setting attack, demonstrating the scale AI-enhanced botnets can achieve.
Source: The Hacker News
Agentic AI introduces new security risks
Dark Reading published an analysis of how agentic AI systems create new attack surfaces and trust boundaries that traditional security models do not account for.
Source: Dark Reading
Dark patterns continue to undermine security
An analysis of how dark patterns in user interfaces systematically undermine security decisions, eroding trust one click at a time.
Source: Dark Reading
Law enforcement and policy
Taiwanese man gets 30 years for dark web drug market
A Taiwanese national received a 30-year prison sentence for operating a dark web drug marketplace, one of the longest sentences handed down for such operations.
Source: BleepingComputer
County pays $600K to wrongfully jailed penetration testers
A U.S. county paid $600,000 to settle with penetration testers who were wrongfully jailed during an authorized security engagement, underscoring the importance of clear scope documentation.
Source: Dark Reading
Spotify and music labels Sue Anna's archive for $13 Trillion
Spotify and major music labels filed a $13 trillion lawsuit against Anna's Archive, the shadow library, in what may be one of the largest copyright claims in history.
Source: Hackread
What this week tells us
Four patterns stand out.
Supply chain trust is under systematic attack. The Notepad++ hijack, compromised npm/PyPI packages, poisoned antivirus update servers, malicious VSCode extensions, and Open VSX supply chain attacks all exploit implicit trust in legitimate software distribution. When six distinct supply chain attacks happen in a single week, the problem is structural.
Social engineering has overtaken technical exploitation as the primary entry point. The ShinyHunters vishing campaign, Betterment breach (Okta SSO voice phishing), Substack breach, and DEAD#VAX phishing campaign all trace back to human-targeted attacks. Technical controls are becoming strong enough that attackers find it easier to manipulate people. Organizations still running email phishing simulations while ignoring voice phishing are testing for the wrong threat.
Patch windows have compressed to hours. APT28 weaponized a Microsoft Office patch within 48 hours. The traditional monthly patch cycle is fundamentally incompatible with the speed of modern exploitation. Organizations that cannot deploy critical patches within days are operating with known, actively exploited vulnerabilities.
The ransomware landscape is diversifying. Attacks this week hit oil pipelines, universities, government ministries, and fintech platforms. The use of ISPsystem VMs for payload delivery and the targeting of legacy Polycom systems show operators exploring new infrastructure and attack surfaces.
For defenders, the actionable priorities this week are clear: patch CVE-2026-21509 immediately, audit Notepad++ installations for v8.8.9 or later, check your organization's exposure through Have I Been Pwned for the Substack and Betterment breaches, implement FIDO2 security keys to counter vishing attacks, and review your verification procedures for financial and data requests arriving by email or phone.
This weekly recap is compiled by SO Email Security from reporting by BleepingComputer, The Hacker News, Hackread, Dark Reading, TechCrunch, The Record, SecurityWeek, The Register, Help Net Security, Zscaler ThreatLabz, Trellix, Google Mandiant, CERT-UA, CISA, Kaspersky Securelist, Securonix, and Rapid7. All sources are attributed inline. For questions or corrections, contact us at hello@soemailsecurity.com.