# Intelligence Report
**Period:** 2026-01-26 to 2026-02-23

Suspected Chinese state-sponsored hackers compromised the Notepad++ update infrastructure for approximately six months during 2025, delivering a backdoored version of the widely used text editor to an unknown number of its tens of millions of users worldwide—a supply chain attack that multiple sources describe as more advanced than initially assessed and that has direct implications for any Swedish organization using the software [44][45][46][47][48][49]. This supply chain compromise, alongside an intensifying wave of fraud targeting Swedish financial systems and a steady drumbeat of critical vulnerabilities in enterprise software, defines the cybersecurity landscape of the past four weeks.

## Intelligence Overview

### Notepad++ Supply Chain Compromise

The most consequential disclosure of the period centers on Notepad++, the free open-source text editor used by developers and system administrators globally. On February 2, Notepad++ publicly disclosed that its upgrade distribution channel had been compromised by state-sponsored hackers [47][49]. According to reporting from Wired, Ars Technica, and the Swedish outlet Computer Sweden (IDG), suspected Chinese state-backed actors hijacked the Notepad++ update infrastructure beginning in June 2025, exploiting weaknesses in update verification in older versions to redirect update traffic and deliver a backdoored build [44][46][48]. The compromise persisted for nearly six months before detection. Field Effect's subsequent analysis indicates the operation was "more advanced than previously assessed," with updated indicators of compromise now available [45]. Validin published a detailed investigation of the command-and-control infrastructure used in the campaign [47].

This incident represents a classic supply chain attack against ubiquitous developer tooling. For Swedish organizations—particularly in the public sector and critical infrastructure where Notepad++ is commonly installed—the practical risk is that any system that received Notepad++ updates during the affected period may have been backdoored. The Computer Sweden article (rated C2 — Fairly reliable, Probably true) provides the most credible Swedish-language confirmation [46]. Organizations should review software inventories, check installed Notepad++ versions against known-compromised builds, and examine network logs for the published indicators of compromise.

### Fraud Escalation in Sweden's Financial and Insurance Sectors

A clear trend across the period is the escalation of fraud targeting Swedish financial systems, continuing a pattern noted in previous weekly reports on social engineering and banking fraud. Finansinspektionen (the Swedish Financial Supervisory Authority) reports that Swedes lost up to SEK 1.5 billion in investment fraud during the past year and has announced intensified focus on fraud and criminal economics under new Director-General Johan Almenberg, who stated: "When the banks take their responsibility, it actually makes a difference. They must continue to do so" [2]. Separately, Svensk Försäkring (Insurance Sweden) published a warning that organized crime is increasingly targeting the country's insurance system, framing insurance fraud as a threat to the entire welfare system rather than merely an industry concern [1]. Both articles carry F2 ratings (source reliability cannot be judged, information probably true), though the underlying organizations—Finansinspektionen and Svensk Försäkring—are authoritative Swedish institutions.

This aligns with the historical article from January 28 reporting that Swedish public agencies face growing AI-powered fraud, with many lacking adequate resources to counter the threat. The municipality of Kristianstad's digital safety initiative, reported in early February [Historical context], further underscores the breadth of concern. The converging picture is that fraud—spanning investment scams, insurance fraud, and AI-assisted deception—has become a systemic threat to Swedish society with financial losses measured in the billions of kronor.

### Critical Vulnerabilities in Enterprise and AI Infrastructure

Several critical vulnerabilities disclosed during the period merit attention. A critical unauthenticated SQL injection vulnerability in the EverShop e-commerce platform (versions below 2.1.1) allows attackers to inject SQL via the url_key parameter without authentication [3]. A critical authentication bypass in the Milvus vector database (versions below 2.5.27 and 2.6.0–2.6.9) exposes the REST API and a debug endpoint on port 9091, enabling unauthorized access to data and credentials [7]. Both disclosures originate from social media (F2-rated) but reference specific CVE identifiers and provide technical detail. An Ivanti security advisory was also issued by the Canadian Cyber Centre during this period [31], continuing the Ivanti exploitation trend highlighted in the previous weekly report of February 16, where a single threat actor was responsible for 83% of Ivanti Endpoint Manager Mobile exploitation [previous report].

Additionally, a moderate security update for PostgreSQL 16 was released for openSUSE Tumbleweed, addressing four vulnerabilities [8], and new OT security guidance for nuclear reactors was published by the UK's National Cyber Security Centre in partnership with CISA and the FBI [29].

### DDoS Targeting and Geopolitical Cyber Activity

A new DDosia configuration was detected targeting predominantly German government and infrastructure websites, including municipal sites, the German Federal Ministry of the Interior (bmi.bund.de), and transit infrastructure [14]. This is consistent with the pro-Russian hacktivist group NoName057(16)'s established pattern of DDoS campaigns against European targets. While no Swedish targets appear in this specific configuration, the activity is relevant context given Sweden's NATO membership and the broader geopolitical backdrop—Russia launched attacks on Ukraine ahead of the invasion's fourth anniversary, a hot topic confirmed by three independent sources this period.

The Italian university La Sapienza in Rome has been offline since February 2 following a cyberattack that disrupted exam booking, tuition payment systems, and faculty contact directories [39]. Separately, Italian authorities intercepted hacking attempts targeting embassies and Olympic venues as the Winter Olympics began, with security groups warning of disinformation and further cyberattack attempts [40].

### Emerging Technology and Identity Security Trends

Recorded Future published its 2026 State of Security report covering geopolitical fragmentation, state-sponsored operations, ransomware evolution, and emerging technology risk (rated C2 — Fairly reliable, Probably true) [30]. Multiple articles address the growing challenge of identity security in an era of AI-powered threats, with discussions of Active Directory defense solutions [32], single sign-on best practices [33], and predictions that agentic AI is reshaping security faster than traditional defenses can adapt [50]. The Anthropic AI bug hunting story, covered by 14 independent sources, reflects growing industry attention to AI's dual role as both a cybersecurity tool and a disruptive force.

## Key Actors

**Chinese state-sponsored threat actors** dominate the period's attribution reporting through the Notepad++ supply chain compromise. While no specific APT group name has been publicly confirmed, multiple sources reference the suspected Chinese state nexus, and Notepad++'s prior political stance regarding Uyghurs has been noted as potential context for targeting [44][45][46][48][49].

**Finansinspektionen** and **Svensk Försäkring** emerge as key institutional voices on the Swedish fraud crisis, with the former pledging regulatory action and the latter framing the issue as a societal welfare threat [1][2].

**NoName057(16)** continues its DDoS campaigns via the DDosia tool, with a new configuration targeting German government infrastructure [14].

**Lazarus Group** (North Korean state-linked APT) features in Group-IB's research on financially motivated campaigns targeting developers through Python scripts and malware variants including CivetQ and BeaverTail [43].

**Securitas** in Sweden has called for broader background checks for employees in critical societal functions, warning that the government's current investigation focuses too narrowly on traditional criminal record extracts [23].

## Trends and Patterns

**Supply chain attacks continue to escalate.** The Notepad++ compromise is the most prominent example this period, but it follows the pattern noted in the January monthly report of "significant escalation in supply chain attacks." The six-month dwell time before disclosure underscores the difficulty of detecting sophisticated infrastructure-level compromises.

**Swedish fraud losses are quantified and rising.** Previous reports noted social engineering threats targeting banking customers and AI-powered fraud pressuring Swedish agencies. This period's reporting from Finansinspektionen adds a concrete figure—SEK 1.5 billion in investment fraud losses—and signals regulatory escalation.

**Vulnerability exploitation remains concentrated and fast.** As reported on February 16, a single IP address drove 83% of Ivanti exploitation. New Ivanti advisories this period [31] suggest the attack surface remains active. Critical vulnerabilities in AI infrastructure (Milvus) and e-commerce platforms (EverShop) indicate the expanding scope of systems requiring patch management attention.

**Geopolitical cyber operations persist against European targets.** DDoS campaigns against German infrastructure [14], the cyberattack on La Sapienza [39], and Olympic-related hacking attempts [40] form a consistent picture of European institutions under sustained cyber pressure.

**AI as a dual-use cybersecurity factor** is a strengthening theme. Anthropic's AI-driven vulnerability research (14 sources) and predictions about agentic AI reshaping security [50] indicate the technology is accelerating both offensive and defensive capabilities simultaneously.

Most source material in this period carries F2 or F3 Admiralty ratings (source reliability cannot be judged), with notable exceptions being the Computer Sweden/IDG reporting on Notepad++ (C2), Recorded Future's State of Security report (C2), and the CEPOL training announcement (D2). Assessments and recommendations should be weighted accordingly—the Notepad++ compromise has the strongest multi-source confirmation and highest practical urgency.

## Follow-up Items

- **Notepad++ supply chain compromise**: Organizations should audit installed Notepad++ versions against the compromised builds (June 2025–late 2025), review network logs for C2 indicators published by Validin [47] and Field Effect [45], and verify that current installations use the remediated update mechanism. CVE identifier not yet publicly assigned at time of reporting.
- **CVE-2026-25993** (critical unauthenticated SQL injection in EverShop <2.1.1, CWE-89): Upgrade to version 2.1.1 or later; enforce input validation on url_key parameter [3].
- **CVE-2026-26190** (critical authentication bypass in Milvus vector database <2.5.27 and 2.6.0–2.6.9, CWE-306): REST API and /expr debug endpoint on port 9091 exposed; patch to 2.5.27 or 2.6.10 [7].
- **Ivanti security advisory AV26-113** issued February 10 by Canadian Cyber Centre [31], continuing the exploitation pattern reported February 16 involving CVE-2026-21962 and CVE-2026-24061 in Ivanti Endpoint Manager Mobile [previous report].
- **PostgreSQL 16 moderate security update** (openSUSE Tumbleweed advisory 2026-10192-1) addressing four vulnerabilities [8].
- **Recorded Future 2026 State of Security report** (C2 rating) available for download; covers state-sponsored operations, ransomware evolution, and emerging technology risk [30].
- **NCSC/CISA OT security guidance** "Secure Connectivity Principles for Operational Technology" released January 2026, with eight foundational principles for protecting operational technology networks, particularly relevant for nuclear and critical infrastructure operators [29].
- **BeyondTrust Remote Support/Privileged Remote Access vulnerability** reported February 22 as actively exploited with web shells and RATs, added to CISA KEV catalog [previous report]—organizations using BeyondTrust products should verify patching status.
---

*This summary was automatically generated 2026-02-23 01:46 based on 50 priority articles, of which the 10 most prominent are:*

## Sources

[1] **Försäkringsbedrägerier hotar vår välfärd –agera nu** — di.se <https://www.di.se/debatt/forsakringsbedragerier-hotar-var-valfard-agera-nu/>
[2] **Finansinspektionen ökar fokus på bedrägerier: ”Bankerna måste fortsätta satsa”** — dn.se <https://www.dn.se/ekonomi/finansinspektionen-okar-fokus-pa-bedragerier-bankerna-maste-fortsatta-satsa/>
[3] **🚨 CVE-2026-25993 (CRITICAL): EverShop <2.1.1 allows unauthenticated SQL injectio...** — infosec.exchange <https://infosec.exchange/@offseq/116050115365469283>
[7] **🔴 CVE-2026-26190: CRITICAL auth bypass in Milvus (<2.5.27, 2.6.0-2.6.9). REST AP...** — infosec.exchange <https://infosec.exchange/@offseq/116067102205969798>
[8] **openSUSE Tumbleweed postgresql16 Moderate Security Update 2026-10192-1** — linuxsecurity.com <https://linuxsecurity.com/advisories/opensuse/postgresql16-16-12-1-1-2026-2003>
[14] **Untitled** — social.circl.lu <https://social.circl.lu/@NoName57Bot/116028074260674637>
[23] **Securitas vill se bredare bakgrundskontroller – varnar för falsk trygghet** — aktuellsakerhet.se <https://www.aktuellsakerhet.se/securitas-vill-se-bredare-bakgrundskontroller-varnar-for-falsk-trygghet/>
[29] **New NCSC-Led OT Security Guidance for Nuclear Reactors** — ncsc.fi <https://www.databreachtoday.com/blogs/new-ncsc-led-ot-security-guidance-for-nuclear-reactors-p-4044>
[30] **State of Security Report | Recorded Future** — recordedfuture.com <https://www.recordedfuture.com/research/state-of-security>
[31] **Ivanti security advisory (AV26-113)** — cyber.gc.ca <https://cyber.gc.ca/en/alerts-advisories/ivanti-security-advisory-av26-113>