What happened: Notepad++ disclosed a supply chain compromise that affected its update infrastructure. Attackers breached the update delivery mechanism and used it to distribute trojanized installers to targeted users. Multiple independent researchers believe a Chinese state-sponsored group was behind the campaign, which was active from roughly June through December 2025.
Why it matters:Software supply chains, especially update distribution mechanisms, are high-value targets for cybercriminals. Assumed trust in widely used tools can be exploited if it isn't backed by strong validation and architectural controls.
Key takeaways: Trojanized updates were identified in versions 8.8.2 through 8.8.9. Users should update to 8.9.1 or later using official sources. To prevent a similar style attack, organizations should enforce strict execution controls regarding what software is allowed to run and monitor for unusual update behavior.
What happened: A critical WinRAR vulnerability, CVE-2025-8088, was disclosed and patched after being actively exploited as a zero-day. The flaw affects WinRAR 7.12 and earlier on Windows and allows specially crafted RAR archives to perform directory traversal, enabling attackers to write files to arbitrary locations on a victim system. By abusing alternate data streams (ADS), malicious payloads can be silently dropped into sensitive paths leading to persistence or code execution. The vulnerability has been exploited in the wild since mid-July 2025 by both cybercriminal and state-sponsored threat actors.
Why it matters: Many systems still run vulnerable versions of WinRAR, and exploitation can occur silently with no user warning. This makes routine patching and controls that limit where software can write and execute critical defenses.
Key takeaways: Update to WinRAR 7.13 or later. Avoid extracting archives from untrusted sources, monitor sensitive directories for unexpected file writes, and enforce strong application control policies to prevent unauthorized tools or payloads from executing.
What's happening: From 2000 to early 2024, nearly two-thirds of documented cyberattacks in the aviation sector targeted airports directly. Furthermore, aviation saw a 600% year-over-year increase in cyberattacks in 2024 driven by ransomware, supply-chain compromise, and politically motivated disruption. Airports also depend on aging operational technology often running legacy software that's difficult to patch and poorly monitored.
Why it matters: Modern airports rely on a sprawling digital ecosystem including customer-facing apps, baggage handling systems, biometrics, IoT devices, and third-party vendors. This expanding attack surface creates blind spots that attackers increasingly exploit. Successful attacks can disrupt baggage handling, ground flights, compromise passenger data, and erode public trust.
Key takeaways: A Zero Trust approach is critical for infrastructure as complex and essential as airports. Following the Zero Trust journey of Heathrow Airportshows how strict access controls and execution policies can help reduce risk while maintaining operational resilience.
What you need to know: Law firm RumbergerKirk experienced a business email compromise when a user clicked a malicious link that led to credential theft. The malicious link was emailed to numerous employees, so the security team had a narrow window to act. The team used ThreatLocker Unified Audit to gain instant visibility into who had followed the link and used Network Control to immediately block the bad domain.
Why it matters: BEC attacks don't rely on malware; they rely on legitimate access. Once credentials are compromised, attackers blend into normal workflows. With AI enhancing the realism of phishing and social engineering attempts, employee education is not enough to prevent credential theft.
Key takeaways: Speed matters, and prevention is worth more than response. Having instant visibility gave RumbergerKirk the ability to contain the attack, limit the impact, and avoid a full-scale incident.
What you need to know: Researchers have uncovered a sophisticated adversary-in-the-middle framework dubbed DKnife operated by China-linked threat actors since at least 2019. It targets Linux-based routers and edge devices, allowing attackers to intercept and manipulate in-transit network traffic. It consists of seven modular implants designed for deep packet inspection, credential harvesting, and malware delivery.
Why it matters: Because DKnife operates at the network edge, it can compromise all devices behind the infected gateway without needing direct access to them. This makes it a stealthy espionage platform that can persist undetected for years and deliver secondary malware through trusted update paths.
Key takeaways: Assume traffic can be intercepted even when it looks legitimate. Limit what can execute even after a compromise. Monitor for behavior, not just known indicators.
TeamPCP worm exploits cloud misconfigurations
What you need to know: Researchers have identified a new self-propagating worm dubbed TeamPCP. It targets cloud environments by exploiting exposed services and misconfigurations rather than traditional software vulnerabilities. Once it gains access to a cloud workload, TeamPCP attempts to spread laterally by abusing insecure credentials, overly permissive configurations, and publicly exposed management interfaces.
Why it matters: TeamPCP highlights how cloud environments can be compromised without malware exploits or zero-days. Misconfigured services, weak identity controls, and excessive permissions allow attackers to automate discovery, persistence, and expansion across cloud assets. Because activity often uses legitimate tooling and APIs, it blends into normal operations and evades detection.
Key takeaways: Reduce exposure by limiting public-facing services and enforcing least-privilege access. Treat cloud credentials as high-risk assets and monitor for abnormal use of cloud APIs and management interfaces. Assume misconfigurations will occur and design controls that prevent abuse when it does.
What you'll love about ZTW26:
Industry-leading speakers—Adam Savage, Linus Sebastian, Jason Silva, Jakoby, David Spark + ThreatLocker leadership
In-person Cyber Hero Help Desk—real-time triage with our engineers
Professional headshot booth
Cyber Hero Exam—pass onsite & get your registration refunded
New ThreatLocker solutions
Earn up to 35 CPE credits during the three-day event.
Use code ZTWWEEKLY26 to save $200 on your registration.
Cyber Hero Frontline Issue 3 will be here before you know it. Subscribe to get the print copy sent right to your door and be notified of the digital release.
