Supply Chain Attacks Hit Developer Tools Hard: What the Notepad++ and VSCode Incidents Tell Us
Supply Chain Attacks Hit Developer Tools Hard: What the Notepad++ and VSCode Incidents Tell Us
If you thought supply chain attacks were just about big enterprise software, this week’s news should change your mind. We’re seeing attackers go after the everyday tools developers use – and they’re getting frighteningly good at it.
The most concerning story comes from the Notepad++ compromise, where Chinese state-sponsored hackers managed to hijack the popular code editor’s update mechanism for six months. Six months! That’s not a quick hit-and-run – that’s a sustained, strategic operation targeting one of the most trusted tools in a developer’s toolkit.
What makes this particularly nasty is how they pulled it off. Instead of compromising Notepad++ directly, they went after the hosting provider. It’s a classic supply chain move that shows these attackers understand infrastructure dependencies better than many of us would like to admit. When users checked for updates, they got redirected to malicious downloads that looked completely legitimate.
The Developer Ecosystem Under Fire
The Notepad++ incident isn’t isolated. We’re also seeing attackers target VS Code extensions through the Open VSX registry compromise. Here, someone hijacked a publisher account and pushed malicious versions of four established extensions to distribute GlassWorm malware. These weren’t obscure packages – they were popular extensions that developers actually use.
Then there’s the MoltBot situation, where over 230 malicious packages flooded the OpenClaw AI assistant registry in less than a week. That’s an industrial-scale poisoning campaign designed to steal passwords and other credentials.
The pattern here is clear: attackers are systematically targeting the tools and platforms developers trust. They’re not just throwing malware at random targets anymore – they’re studying our workflows and hitting us where it hurts.
Why These Attacks Work So Well
What bothers me most about these incidents is how they exploit our fundamental trust relationships. When Notepad++ says there’s an update, we install it. When a VS Code extension has been around for months with good reviews, we add it to our environment. When an AI assistant package looks legitimate, we integrate it into our workflow.
The attackers understand this psychology perfectly. They’re not trying to trick us with obvious phishing emails anymore – they’re compromising the very infrastructure we depend on to stay secure. It’s like poisoning the water supply instead of trying to slip something into individual drinks.
The six-month timeline on the Notepad++ attack is particularly telling. This wasn’t about immediate financial gain or quick data theft. This was about establishing persistent access to development environments across potentially thousands of organizations. That kind of patience and planning suggests we’re dealing with well-resourced, strategic adversaries.
Microsoft’s NTLM Move: A Bright Spot
Not all the news is doom and gloom. Microsoft’s announcement about phasing out NTLM in favor of Kerberos is exactly the kind of foundational security improvement we need to see more of. NTLM has been a security nightmare for years, particularly when it comes to relay attacks.
The three-phase approach shows Microsoft is taking this seriously rather than just making announcements. Replacing authentication infrastructure is never simple, but it’s the kind of unglamorous work that actually makes our environments more secure in the long run.
The Scanning Activity We’re Seeing
On a related note, the SANS report about Anthropic API scanning through Tor exit nodes reminds us that attackers are constantly probing for new attack surfaces. AI APIs are becoming critical infrastructure, and we’re already seeing reconnaissance activity targeting them. It’s a preview of where the next wave of attacks might be headed.
What We Need to Do Differently
These incidents highlight a uncomfortable truth: our security models weren’t built for the modern development ecosystem. We’ve gotten good at securing traditional enterprise applications, but the explosion of developer tools, package registries, and cloud services has created new attack surfaces faster than we can secure them.
We need to start treating developer tools with the same security rigor we apply to production systems. That means better verification of updates, more careful vetting of extensions and packages, and probably some uncomfortable conversations about whether we’re too trusting of our tool chains.
The Notepad++ attack should also make us think harder about hosting provider security. When we assess the security of a tool, we usually look at the vendor – but how often do we evaluate their hosting infrastructure? That blind spot just became a lot more expensive.