• Surgical Precision: 2026 supply chain attack news highlights a shift from mass infection to surgical targeting, where attackers like Violet Typhoon (APT31) deliver malware only to specific high-value IPs.
• Infrastructure Hijacking: Recent breaches of Notepad++ and EmEditor were not caused by code vulnerabilities but by the compromise of official hosting and distribution infrastructure.
• Extended Dwell Time: Attackers maintained access to trusted update channels for over six months (June–December 2025), bypassing traditional EDR and sandbox environments.
• Identity-Driven Vectors: New reports from February 2026 (e.g., the AgreeToSteal Outlook add-in campaign) show attackers reclaiming abandoned legitimate domains to steal over 4,000 corporate credentials.
• Proactive Defense: Organizations must move beyond static audits to Continuous Dependency Intelligence and external digital risk protection (DRP).

The 2026 Intelligence Update

The latest supply chain attack news for 2026 has sent shockwaves through the DevOps and AppSec communities. We are no longer dealing with broad, noisy spray-and-pray campaigns. Instead, the industry is witnessing the rise of the Surgical Strike — an era where your most trusted developer tools are turned against you with frighteningly high precision. These supply chain attack news events are crucial to understand for future prevention.

In just the first two weeks of February 2026, major disclosures have redefined what we consider safe. The headline event remains the dual-compromise of Notepad++ and EmEditor, where the “official source” itself became the delivery agent for state-sponsored malware. Simultaneously, researchers have identified a new AgreeToSteal campaign (Feb 11, 2026), marking the first major supply chain attack involving a malicious Microsoft Outlook add-in that successfully exfiltrated thousands of credentials via abandoned legitimate domains.

Moreover, these incidents of supply chain attack news highlight the urgency for organizations to reevaluate their security strategies.

This supply chain attack news serves as a stark warning: the traditional perimeter is dead. When an attacker can sit inside your official update server for six months without triggering an alarm, your security strategy must evolve from perimeter defense to continuous external verification.

When Trust is the Trojan Horse: Navigating the New Era of Supply Chain Attacks

For years, the golden rule of cybersecurity for end-users has been simple: “Only download software from the official source.” We’ve been told that if we avoid shady third-party sites and stick to official domains, we’re safe.

But what happens when the official source itself is compromised?

Recently, the cybersecurity world was rocked by a series of sophisticated supply chain attacks targeting tools that developers and IT professionals use every single day: Notepad++ and EmEditor. These weren’t “fake” websites; these were the real-deal official platforms delivering malicious payloads.

The Breach of the “Official” Source

In two distinct but equally chilling campaigns, an APT (Advanced Persistent Threat) group proved that even the most cautious users can be compromised through no fault of their own.

1. The Notepad++ Long Game

Between June and December 2025, a highly sophisticated actor managed to infiltrate the hosting provider used by Notepad++. They didn’t just deface a page; they maintained access for months.

The terrifying part? They weren’t giving the malware to everyone. By utilizing a “surgical” approach, the attackers delivered malicious payloads only to specific targets, likely based on IP addresses or geographic locations. This made the breach incredibly hard to detect. Users went to the correct URL, saw the correct branding, and downloaded what they thought was a routine update — only to have a trojanized version of the software installed on their systems.

As detailed in the Notepad++ official incident report, the attackers focused on the getDownloadUrl.php script, which the WinGUp updater relies on. By controlling this endpoint, they could selectively redirect specific update requests to attacker-controlled servers.

2. The EmEditor Watering Hole

Almost simultaneously, Emurasoft’s EmEditor was targeted. In this instance, the attackers modified the URL behind the “Download Now” button on the official homepage.

Users who clicked the link were redirected to a malicious .msi file. While the file had the same name and size as the original, it was signed with a certificate from a completely different firm. This allowed an infostealer — disguised as a Google Drive Caching extension — to harvest VPN configurations, browser credentials, and keystrokes from unsuspecting developers. This was confirmed in a security notice by Emurasoft.

Why Surgical is the New Scary

These incidents represent a pivot in the supply chain attack landscape. Historically, supply chain attacks like SolarWinds aimed for maximum volume. Today, the goal is stealth and high-value persistence.

By targeting tools used by system administrators and developers, attackers can gain the keys to the kingdom. If you compromise a developer’s machine, you potentially compromise every line of code they write, every server they access, and every secret they manage.

The 2026 Threat Landscape: By the Numbers

According to recent industry data from Group-IB and Intel 471, supply chain vulnerabilities now account for over 40% of all initial access vectors used by ransomware groups.

• Financial Impact: Global losses attributed to supply chain compromises are projected to hit $53.2 billion by the end of 2026.
• Dwell Time: In the Notepad++ case, the attackers remained undetected for over 180 days.
• Targeting: 64% of organizations now list geopolitically motivated supply chain attacks as their top strategic concern.

In light of recent supply chain attack news, it is crucial to reevaluate our current security measures.

Proactive Defense: Beyond Compliance to Continuous Verification

Relying on a yearly audit of your vendors is no longer sufficient. In 2026, security teams must treat software updates as a high-risk event.

1. Implement Zero Trust for Software

Never assume a binary is safe just because it came from a *.org or *.com you recognize. Every download should be subjected to automated hash verification. If the hash doesn’t match the one published (and verified) by the vendor, execution must be blocked.

2. Operationalize SBOMs

A Software Bill of Materials (SBOM) should not be a static PDF stored in a drawer. It must be a living artifact integrated into your CI/CD pipeline. Use it to track every dependency in your environment, allowing you to identify within seconds if a new “poisoned package” news alert affects your stack.

3. Monitor the External Footprint

Understanding the implications of supply chain attack news helps organizations prepare for the worst.

Attackers often use brandjacking — setting up domains like emeditor-update[.]com — to serve malware. While the Notepad++ attack was an infrastructure compromise, many supply chain attacks start with simple typosquatting. Continuous monitoring of your brand’s digital presence is essential to catch these look-alike domains before your customers do.

How Phishfort Protects the Ecosystem

At Phishfort, we’ve seen how these attacks don’t just hurt the end-user — they devastate a brand’s reputation. When your official download link is used to spread malware, the trust you’ve spent decades building can vanish in a weekend.

This is where Brand Protection becomes a vital necessity rather than a luxury.

• For Brands: Phishfort provides proactive monitoring that goes beyond simple phishing. We help brands identify when their infrastructure is being impersonated or manipulated, ensuring that your customers stay safe and your reputation remains intact.
• For Partners and End Users: Our ecosystem-wide intelligence helps detect these sophisticated campaigns early. By monitoring for unauthorized changes in digital footprints and identifying malicious indicators across the web, we act as an extra layer of defense when the official source is compromised.

The supply chain is the new frontline. While attackers are getting more surgical, Phishfort is here to ensure that the bond of trust between a brand and its users remains unbreakable.

Cybersecurity Industry FAQ: Expert Insights

Q: What is the first sign that my software supply chain has been compromised?

A: The most common early indicator is a discrepancy in binary signatures or unexpected network telemetry. For instance, in the Notepad++ incident, the updater process (GUP.exe) began spawning a custom binary (AutoUpdater.exe) that was not part of the standard installation. Monitoring for parent-child process anomalies in your developer tools is a critical first step.

Q: If I only use Big Tech vendors (Microsoft, AWS, Google), am I safe from supply chain attacks?

A: No. While these giants have massive security budgets, they are also the highest-value targets. Furthermore, even Big Tech vendors rely on thousands of smaller open-source dependencies. As seen in the recent AgreeToSteal Outlook add-in news, attackers specifically target the connectors and extensions that bridge these platforms, as they often have lower oversight than the core products.

Conclusion: Staying Ahead of the Next Headline

The recent supply chain attack news serves as a critical reminder of the vulnerabilities inherent in our systems.

The era of blind trust in official sources is over. As we navigate the complex supply chain attack news of 2026, the only path forward is a combination of technical vigilance and proactive external monitoring. Whether you are a developer tool provider or an enterprise consumer, your security now depends on how well you can see beyond your own firewall.

Stay vigilant, verify your downloads, and let’s build a safer web together.

By learning from past incidents highlighted in supply chain attack news, companies can strengthen their defenses.

Is your brand’s distribution infrastructure being monitored? Protect your reputation with Phishfort’s Takedown Services and Brand Protection.

Below is a curated list of fraudulent entities and “front” companies identified in recent Web3 cyber-espionage and theft campaigns.

List of Fake Recruitment Agencies & Front Companies (2026 update)

If you are contacted by individuals claiming to represent these entities, proceed with extreme caution:

• BlockNovas: Often targets Web3 developers with high-paying remote roles.
• Couch Chain: Known for distributing trojanized coding tests via GitHub.
• AppSaga: Frequently used in “Contagious Interview” campaigns.
• Dev-Tech / InnoQuest: Generic names used to mirror legitimate software houses.
• Symfa (Impersonated): Attackers often steal the identity of real Symfa executives to build trust.
• BitLink / Zentify: Fronts identified in credential exfiltration attacks targeting crypto wallets.

Found a suspicious agency or recruiter?

Don’t let them target someone else. If you’ve encountered a suspicious job offer or a company that belongs on this list, report it to our security team immediately for analysis and takedown. Need to report a scam? Click here to report to PhishFort.

The Anatomy of a High-Stakes Social Engineering Attack

A great example of how these “agencies” operate is the story of David Dodda, a developer who narrowly escaped a machine compromise after being targeted by a highly polished, yet entirely fake, recruitment setup.

In October 2025, software developer David Dodda shared a chilling account of how a seemingly legitimate job opportunity on LinkedIn nearly resulted in his machine being compromised by sophisticated malware. This incident highlights a growing trend in targeted attacks against developers, particularly those in blockchain and cryptocurrency spaces.

How the Scam Unfolded

Dodda was contacted via LinkedIn by an individual posing as Mykola Yanchii, “Chief Blockchain Officer” at Symfa — a company with a professional-looking profile and website. The offer was for a part-time role contributing to BestCity, described as a real estate workflow platform. By using a polished LinkedIn profile and a mirrored corporate website, the attackers bypassed initial skepticism.

This is a hallmark of many entities on the unofficial list of fake recruitment agencies: they don’t just create fake names; they steal the identities of real executives to build instant rapport. After initial discussions and a scheduled interview call, the recruiter sent a “test project”: a React/Node.js codebase hosted on Bitbucket. The repository appeared polished, complete with a detailed README and documentation, encouraging the candidate to review, fix bugs, and prepare for discussion.

Technical Breakdown: The “UserControl” Malware

Pressed for time with only 30 minutes before the call, Dodda began examining the code locally without isolating it in a sandbox. Before executing npm start, he decided to leverage AI for a quick review, prompting it with:

“Before I run this application, can you see if there is any suspicious code in this codebase? Like reading files, it shouldn’t be reading, accessing crypto wallets, etc.”

The AI quickly flagged obfuscated code in server/controllers/userController.js.

Decoding the byte array revealed a URL (hxxps://api[.]npoint[.]io/2c458612399c3b2031fb9) that fetched and executed a remote payload via new Function. Analysis on VirusTotal confirmed that the payload was designed to steal cryptocurrency wallets, sensitive files, and passwords, and to establish persistent access.

The malware relied on multi-layer obfuscation — byte arrays, async IIFE, and dynamic remote loading — to evade initial detection. It was implemented in server-side code with full Node.js privileges, poised to activate when certain routes were accessed.

Dodda was seconds away from running the application when the AI alert stopped him. The remote URL was active briefly before being taken down.

The attack utilized a multi-layer obfuscation technique:

1. Byte Array Obfuscation: The malicious URL was hidden as a series of integers.
2. Dynamic Remote Loading: Using axios and a new Function, the code fetched a remote payload that never touched the local disk until execution.
3. Privilege Escalation: Running npm start would have granted the Node.js process full access to the developer’s filesystem.

According to research by BleepingComputer , these payloads are often designed specifically to exfiltrate browser credentials and private keys from browser-based crypto wallets.

Broader Threat Landscape

This attack aligns with ongoing campaigns attributed to North Korean state-sponsored groups (e.g., Lazarus subgroups like Contagious Interview). These actors frequently impersonate recruiters for blockchain roles, using platforms like LinkedIn, Upwork, and CryptoJobsList to deliver trojanized “coding tests” on GitHub, GitLab, or Bitbucket.

Similar incidents reported in 2025 include:

• Fake companies (e.g., BlockNovas, Couch Chain) are luring developers with web3 opportunities.
• Malware variants like BeaverTail, InvisibleFerret, and others are stealing credentials and crypto assets.
• Exploitation of job market pressures to rush candidates into executing unvetted code.

Developers are prime targets: their machines often hold production credentials, SSH keys, and crypto wallets — “keys to the kingdom.”

The 2023 CoinsPaid incident — where a fake interview tricked an employee into installing malware, leading to a $37 million theft — served as an early blueprint for these evolving tactics. Developers remain high-value targets due to their access to sensitive credentials, SSH keys, and cryptocurrency wallets.

How to Build Your Own “Safe List” of Recruitment Entities

While a static list of fake recruitment agencies is a vital starting point, attackers rotate domains daily. You must supplement the list with operational pattern recognition.

Red Flags of a Fraudulent Agency:

• Domain Discrepancies: They use email addresses like hr-department@company-jobs.com instead of the official @company.com.
• Urgency Tactics: If a recruiter pressures you to run a “coding test” within 30 minutes of the first contact.
• Platform Hopping: Moving the conversation from LinkedIn or Upwork to Telegram or WhatsApp is a major warning sign.
• Unvetted Codebases: Any recruitment process that requires running a full Node.js or Python environment locally without a verifiable GitHub history of the organization.

FAQs

How can I find a list of fake recruitment agencies in crypto? While there is no single government database, security communities on X (formerly Twitter) and platforms like ScamAdviser frequently update lists of known fraudulent domains. Always cross-reference the recruiter’s name with the official company website.

Is LinkedIn safe from fake recruitment agencies? No. Threat actors frequently create high-quality fake profiles or hack legitimate ones to launch impersonation attacks. Always verify a recruiter’s identity through a second, independent channel before downloading any attachments.

Staying Ahead with PhishFort

At PhishFort, we understand that your brand’s reputation is only as secure as your team’s digital perimeter. Threat actors are no longer just attacking servers; they are attacking your people through executive impersonation and sophisticated social engineering.

Our Web Threat Defense services provide real-time monitoring of phishing domains and impersonation attempts. By neutralizing these scams at the source, we ensure that your developers and executives stay focused on building, not defending against Lazarus-grade threats.

Protect your assets and your identity. Report suspicious activity to PhishFort and stay vigilant against the next generation of Web3 threats.

The Attack Vector

The campaign begins with impersonation. Threat actors pose as legitimate professionals — venture capitalists, recruiters, journalists, or potential partners — and reach out requesting discovery meetings or investment discussions.

The lure is simple: a request to download a “custom high-security AI Video Conferencing tool” for the call. The downloaded file is actually a Remote Access Trojan (RAT).

Primary Targets

• Software developers with access to sensitive codebases
• Venture capitalists and investment professionals
• C-suite executives and founders
• Cryptocurrency holders with significant assets

The “No Sound” Psychological Tactic

The attack exploits a common frustration — technical difficulties during video calls. Here’s how it unfolds:

• The victim joins what appears to be a legitimate call interface
• Audio mysteriously fails — they can see the other “participants” but hear nothing
• “Support staff” in the chat direct users to download an “SDK Update” or “Sound Fixer”
• This download delivers the malware payload

The psychological manipulation is effective because audio issues are common and the “fix” seems reasonable.

Technical Compromise

Once executed, the RAT achieves:

• System persistence — Survives reboots and maintains access
• Credential harvesting — Captures passwords and cryptocurrency seed phrases
• Clipboard interception — Monitors for wallet addresses to redirect transactions
• Screen capture — Records sensitive information displayed on screen
• Keylogging — Captures all keystrokes including authentication codes

Indicators of Compromise

Watch for these suspicious domains impersonating legitimate video services:

• zoom-download[.]id
• zoom-meeting[.]top
• zoomov-incoming-call[.]pages[.]dev
• Any non-official domain claiming to be a video platform

Five Warning Signs

• Proprietary platforms — Requests to use custom tools instead of industry standards like Zoom, Google Meet, or Microsoft Teams
• Required downloads — Legitimate browser-based video calls don’t require software installation
• Suspicious domains — URLs that mimic but don’t match official service domains
• Artificial urgency — Pressure to quickly resolve “technical problems”
• Unsolicited outreach — Initial contact through secondary messaging platforms like Telegram or Discord

Protection Measures

Defend against these attacks by:

• Verifying identities — Confirm meeting requests through official channels
• Using established platforms — Refuse to download custom video software
• Checking domains carefully — Hover over links before clicking
• Maintaining skepticism — Question unexpected meeting requests, especially from unknown contacts
• Separating environments — Use dedicated devices for high-value cryptocurrency operations

Organizational Response

Organizations should train employees to recognize these tactics and establish verification procedures for external meeting requests. Security awareness is the first line of defense against social engineering.

PhishFort helps organizations protect against phishing and social engineering campaigns. Contact us to learn how we can help secure your team.

Bitcoin Core, the reference implementation of the Bitcoin protocol, is one of the most trusted open-source projects in the cryptocurrency ecosystem. Its reputation, however, makes it a prime target for phishing campaigns and other cyberattacks designed to exploit unsuspecting users.

Earlier this year, PhishFort identified and neutralized a phishing campaign impersonating the release of Bitcoin Core version 30.0. The attackers used fraudulent domains and spam emails to lure users into downloading malicious software disguised as a legitimate update.

The Phishing Attack: How It Worked

Fake Bitcoin Core Domains

• Attackers registered bitcoincore[.]extensionversion[.]org, designed to mimic the official Bitcoin Core site.

• The fake site imitated branding, download options, and cryptographic hash links to appear credible.

Bitcoin Core scam

Phishing Email Campaign

To drive traffic, the threat actors launched an email campaign spoofing the Bitcoin Core Team. The messages, sent from bitcoincore@projectfoundation[.]blog, announced a new version of Bitcoin Core and urged recipients to “Download Extension Here.” The phishing emails were professionally formatted, highlighting features such as Taproot support and CoinJoin compatibility, in an attempt to build legitimacy and urgency.

Technical Infrastructure

Behind the scenes, DNS records revealed the phishing infrastructure was registered via Nicenic and hosted within Vercel Infrastructure, while the sender infrastructure relied on Hostinger’s outbound mail services.

PhishFort’s Pro Bono Response

As part of our commitment to protecting open-source communities and the broader crypto ecosystem, PhishFort acted pro bono to dismantle this phishing operation.

Our takedown team coordinated directly with domain registrars and hosting providers, gathering technical evidence to demonstrate abuse. Within hours, the malicious site was taken offline and email delivery infrastructure was disabled, preventing further spread of the campaign.

By intervening quickly, we helped safeguard Bitcoin users from downloading compromised software and ensured the fraudulent domains were neutralized before they could escalate.

Risks to Users

If successful, the campaign could have had devastating consequences for Bitcoin users:

• Theft of funds: Malicious software disguised as Bitcoin Core could compromise private keys and drain wallets.

• Loss of trust: Attacks on widely respected open-source projects can erode confidence in the broader ecosystem.

• Supply chain risk: By targeting a key node implementation, attackers could disrupt participation in the Bitcoin network itself.

Given Bitcoin Core’s critical role, this type of impersonation poses not just a risk to individual users but also to the credibility of the Bitcoin ecosystem as a whole.

Protecting the Open-Source Ecosystem

This case highlights two critical truths:

• Open-source decentralized projects are prime targets for impersonation — attackers know that grassroots communities often lack dedicated brand protection resources.

• Rapid detection and takedown is essential — phishing domains can cause widespread harm in hours, not days.

At PhishFort , we believe in protecting not just commercial brands, but also the open-source foundations that underpin the internet and digital finance. That’s why we provide pro bono support to projects like Bitcoin Core when the community faces threats beyond their immediate capacity to handle.

How to Protect Yourself

Users are reminded to:

• Always download Bitcoin Core only from the official website:https://bitcoincore.org

• Verify PGP signatures and SHA256 hashes before installing software.

• Treat unsolicited emails with links to downloads as suspicious, even if they appear to come from trusted projects.

• Be aware that this campaign is not isolated — attackers are also targeting the broader Bitcoin ecosystem. Recent phishing activity has impersonated:

• Bitcoin mining companies such as Riot, Compass Mining, and Bitmain

• Bitcoin investment firms, including Fidelity, Bitwise, and Nakamoto

• Bitcoin wallets like BitBox, Bitkey, and Sparrow Wallet

• Bitcoin Implementation and infrastructure, like Bitcoinknots and Blockstream

If you interact with any of these services, always verify that you are on the official domain and never trust download or investment links received over email.

Final Thoughts

As part of our threat intelligence operations, PhishFort continues to monitor malicious file hashes associated with phishing kits and malware samples. This proactive tracking recently led us to identify activity connected to bitcoincoreapp[.]store & bitcoincore[.]versiondownload[.]org, fraudulent domains distributing malicious downloads under the guise of Bitcoin Core. Thanks to swift action, these sites have now been taken down.

In parallel, our systems continuously monitor newly registered domains that attempt to impersonate Bitcoin Core. Through this process, we uncovered bitcoincore[.]yachts, another deceptive site attempting to mislead users. This domain has also been successfully taken offline, further disrupting the phishing campaign’s infrastructure.

Phishing continues to evolve, and attackers are increasingly professional in their impersonation efforts. But as this case demonstrates, coordinated response and proactive takedowns can neutralize threats before they cause widespread harm.

PhishFort is proud to have supported the Bitcoin Core community in protecting its users and reaffirming the importance of trust in open-source ecosystems.

Take Action: Protect Your Brand from Phishing

Phishing attacks don’t just target open-source projects — they target every organization with digital assets worth protecting.

At PhishFort, we specialize in detecting, disrupting, and taking down phishing campaigns before they can harm your users or reputation.

Get in touch with our team today to learn how we can help secure your brand and protect your community.