This week’s Risk Radar covers a well-executed supply chain attack, confirmation that a Microsoft Office vulnerability is now being actively exploited, and another insider incident that reinforces why fundamentals still matter.

The common thread this week is simple: attackers are exploiting the gaps between what organisations think they have under control and what’s actually deployed in the real world.

‍

Supply Chain Attack: Notepad++ Update Infrastructure

This week we saw a targeted supply chain attack involving Notepad++, a tool widely used by administrators and developers.

In this case, a state-sponsored actor compromised the infrastructure used to serve update manifest files and selectively redirected users from specific IP addresses to malicious downloads. From the user’s perspective, the update process looked legitimate. That’s what makes supply chain attacks so effective.

Notepad++ has since rolled out mitigations, including digital certificate signing, to reduce the risk of this happening again.

What this means in practice:
If you don’t know what software is deployed across your environment, you can’t defend it. A software bill of materials (SBOM) isn’t a compliance exercise, it’s the starting point for understanding exposure and responding quickly when something goes wrong.

‍

Microsoft Office Vulnerability: Active Exploitation Confirmed

The Microsoft Office vulnerability discussed in last week’s review is now being actively exploited by the Russian state-linked group APT28 (Fancy Bear).

The attack uses specially crafted Office documents and does not rely on macros, which means it can bypass controls that depend on macro detection as an early warning signal. This reflects broader Active Directory exploitation techniques used by ransomware groups, where attackers rely on trusted systems and legitimate behaviour rather than obvious malware indicators to move deeper into an environment.

What this means in practice:
Critical vulnerabilities need to move to the front of the queue. Patching should be accelerated wherever possible, and where patching cannot be applied immediately, compensating controls need to be in place and verified. Assuming existing controls will catch it is not a strategy.

‍

Insider Risk: Coinbase Contractor Breach

Coinbase disclosed another insider-related incident this week, where a contractor accessed and disclosed information relating to around 30 customers.

Coinbase has notified those affected, but the incident is another reminder that insider risk doesn’t always look malicious at first glance. It often starts with access that was too broad, lasted too long, or wasn’t being actively monitored.

What this means in practice:
Focus on the basics and keep them tight. Enforce least privilege, monitor access continuously, and use behavioural anomaly detection to spot activity that doesn’t fit normal patterns. These controls don’t just stop attackers, they limit the damage when something inevitably slips through.

‍

Closing Perspective

None of the incidents discussed here involve new techniques or unfamiliar risks. They reflect basic controls failing under real operating conditions.

Supply chain attacks succeed when organisations don’t have clear visibility into the software they rely on. Exploits land when patching is delayed or assumptions are left untested. Insider incidents escalate when access is too broad and behaviour goes unmonitored.

These are not gaps that require new tools to fix. They require discipline and follow-through. Knowing what is deployed, prioritising what needs to be fixed first, testing recovery, and continuously reviewing access are unglamorous tasks, but they are the work that prevents small failures from turning into public incidents.

This is about tightening what already exists and making sure it holds when it matters.