Four Flags, One Playbook: China, North Korea, Russia, and Iran All Hit the Supply Chain This Week

In the last thirty-six hours, four different nation-state threat actors — China, North Korea, Russia, and Iran — each executed a different supply chain attack against a different trusted dev-tool or software vendor. One week, four flags, one playbook. The door is developer trust of upstream. The attackers walk through it until someone closes it.

For the six months I've been writing about Pattern 38 through 52, the thesis has been the same: the weakest link in enterprise security is not the phishing email, not the unpatched CVE, not the misconfigured S3 bucket. It is the tool developers trust to install and run without reading every dependency. The supply chain is not a category of attack. It is the category.

The calendar is making the argument for me this week. Let's take them one at a time.

China, Notepad++. According to CSO Online, a Chinese APT has hijacked Notepad++ infrastructure in a sophisticated supply chain attack. Notepad++ is installed by hundreds of millions of Windows developers worldwide. If the reports hold up — and there is no reason yet to doubt them — this is in the running for the biggest software supply chain compromise since SolarWinds. The actor profile suggests a state-aligned Chinese group. The vector suggests patient, long-horizon access to build pipelines, not smash-and-grab. The same shape we saw when Mustang Panda pivoted to fake Claude installers. The same shape that lives in our feed as ClearFake at 26,987 indexed hits, IClickFix at 5,531, SmartLoader at 2,057 right now. Different targets, same architecture: weaponize the install step.

North Korea, 197 npm packages. Rescana reports that a North Korean APT has seeded 197 malicious npm packages to distribute malware tracked as OtterCookie. 197 is not a typo. It is a deliberate seeding count, consistent with the Contagious Interview campaign lineage North Korean groups have been running since at least 2023, where fake recruiter-driven developer vetting leads to running a malicious install. Node.js-based developer tooling has become a credential laundromat for DPRK hard-currency operations. Every package they publish and take down, they publish and take down again under a new author name. Our feed has 2,499 indexed hits on Sliver (the open-source C2 of choice for commodity-and-DPRK operations) right now. The distinction between "state-sponsored APT" and "organized crime using commodity tooling" is, for North Korea specifically, no distinction at all.

Russia, RU-APT-ChainReaver-L. CyberSecurityNews and cyberpress.org are both reporting that a Russian APT tracked as ChainReaver-L is running a massive cross-platform supply chain campaign that hijacks trusted websites and GitHub repos. GitHub repo hijack is the exact vector we flagged on Tuesday in the Mustang Panda piece — domains and repos with names like claude-code-app, claude-desktop-app, claude-proxy-flask serving SmartLoader and ClearFake drops. Now the same pattern with Russian tradecraft, different cover stories, and a different distribution layer. The Russian operators are better at fake-legitimate-website than fake-new-package, which tells you something about their audience: they're not going after fresh developers scanning package registries, they're going after established developers who bookmark trusted URLs and never look twice.

Iran, Lockheed Martin. SC Media is reporting that a pro-Iran hacktivist group has claimed a massive data breach at Lockheed Martin. Hacktivist claims from the Iran orbit deserve a specific skepticism caveat — the infrastructure often maps back to state-adjacent operators running hacktivist personas as cover — but the target is the target. Lockheed Martin is the largest defense contractor in the world. F-35, Javelin, PAC-3 Patriot, classified programs across the services. Even a partial data exposure is a strategic intelligence event. Iran's 2026 cyber posture has been documented by Unit 42 and Halcyon with care this month; the Handala operations against Stryker last year are in the same ecosystem. Our medical-devices vertical folder carries the Stryker / Baxter / Datavant coverage for the same reason: Iran's targeting is broader than most people track, and any prime with government-adjacent data is in scope.

Four flags in one Friday. Let me make the architectural claim out loud.

The defense industry has spent twenty years treating "supply chain attack" as an exotic subcategory of threat. It is not. It is the default architecture of the 2020s. When an attacker has the choice between phishing one developer at one company and poisoning one package that every developer installs, the economics of the operation are not close. It takes the same amount of effort to weaponize one popular npm module as to phish one target, and the yield differs by three or four orders of magnitude. The rational attacker is doing this every single day. China, North Korea, Russia, Iran — and the ones who have not been publicly named yet — are all running this math.

The defensive response has to match the threat architecture, not the marketing category. Package-registry content scanning is necessary and not sufficient. Signed build artifacts are necessary and not sufficient. SLSA / SBOM compliance is necessary and not sufficient. What closes the door is deterministic attribution of every package, every binary, every install script back to a human with a real identity and a real signature. That's a five-year project, and the industry is maybe two years in. In the meantime, every developer install is a potential pivot.

For threat intelligence operations specifically — the feeds we run, the indicators we publish, the 1.1 million IOCs in our index as of this morning — the shape of what we track has to bias toward the install step. Domain typosquats. Package authorships. Repo hijack signatures. CDN abuse for payload delivery. Trusted-site compromises. The signal is no longer "IP X is malicious." It's "domain X that looks like a dev tool is malicious, and the binary served from it phones home to IP Y that we already know about." The correlation is in the supply chain fingerprint, not the single indicator.

The 95% cap on everything I just wrote. 5% of my reading of these four reports will turn out to be wrong when the forensics land in a month. Some of the attribution will get downgraded. Some of the scale will get revised up. That's how week-one reporting works, and the honest posture is to say so.

What I will say without the cap: I have been writing this exact thesis for six months and the wire has spent this week proving the thesis four times, with four different flags, against four different targets. The pattern is not theoretical. It is not emerging. It is the steady state of the adversary architecture in 2026, and the defenders who are still treating supply chain attacks as an exceptional category are reading the wrong calendar.

Notepad++ on Monday. 197 npm packages on Tuesday. GitHub repo hijacks on Wednesday. Lockheed Martin on Thursday. My feed is already indexing the domain families, malware signatures, and C2 infrastructure each of these operations touches. The data is there, the architecture is there, and the only thing still catching up is the story everyone tells about what the actual threat looks like.

Close the door. The one that looks like every other install prompt in your terminal. It's not that one.

— Patrick

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com