ZeroFox Daily Intelligence Brief - February 2, 2026

ZeroFox Daily Intelligence Brief - February 2, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Notepad++ Hijacked by Suspected Chinese Threat Actors
• Law Enforcement Dismantles Illegal IPTV Networks Ahead of Milan Winter Olympics
• U.S. Convicts Former Engineer in AI-Related Economic Espionage Case

Notepad++ Hijacked by Suspected Chinese Threat Actors

Source: https://notepad-plus-plus.org/news/hijacked-incident-info-update/

What we know: The developer of open source code editor Notepad++ has confirmed a compromise involving its update infrastructure by a suspected Chinese state-sponsored threat actor group. The developer has claimed to have remediated the issue.

Context: According to the developer, the attackers targeted the hosting infrastructure rather than a vulnerability within the Notepad++ codebase between June and December 2025. The threat actors gained unauthorized access to the hosting server, enabling traffic hijacking from notepad-plus-plus[.]org. The targeting has been described as highly selective.

Analyst note: Due to lack of publicly available indicators of compromise (IoCs), already compromised entities are likely to have trouble detecting intrusions. Threat actors are likely to push malicious updates to Notepad++ users, which can enable network intrusion. It is likely to lead to supply chain compromise, impacting multiple developers and organizations.

Law Enforcement Dismantles Illegal IPTV Networks Ahead of Milan Winter Olympics

Source: https://www.bleepingcomputer.com/news/legal/operation-switch-off-dismantles-major-pirate-tv-streaming-services/

What we know: An Eurojust-coordinated law enforcement operation has dismantled several illegal IPTV networks and identified 31 associated individuals, ahead of the Milan Winter Olympics to curb unauthorized sports broadcasts. The police reportedly said the operation disrupted at least 250 resellers and 100,000 IPTV subscribers in Italy alone.

Context: The operation seized three major pirate IPTV services along with parts of its server infrastructure (including servers in Romania and Africa), reseller networks, and related websites/Telegram channels. Separately, U.S. authorities have seized Bulgarian pirate sites, zamunda[.]net, arenabg[.]com, and zelka[.]org.

Analyst Note: With IPTV infrastructure being targeted, threat actors are likely to use similar services to create fake "live" streaming websites or apps intending to steal personal information, credentials, or financial data. It is likely that there will be an increase in new piracy and mirror sites that enable illegal platforms to quickly reappear even after takedown.

U.S. Convicts Former Engineer in AI-Related Economic Espionage Case

Source: https://www.justice.gov/opa/pr/former-google-engineer-found-guilty-economic-espionage-and-theft-confidential-ai-technology

What we know: The United States has made its first conviction in an AI-related economic espionage case. A former employee of a major American tech giant was convicted by a U.S. court for stealing the company’s AI trade secrets and sharing them with the Chinese government.

Context: Between May 2022 and April 2023, the accused stole documents related to the tech giant’s infrastructure that enabled their supercomputing data center to train large AI models. During this period, the accused was in discussion to be the Chief Technology Officer of a China-based startup and, later on, was also building their own AI firm in China.

Analyst note: The incident is very likely to increase scrutiny of employees with connections to certain foreign countries, especially those adversarial to the United States, in technological spaces deemed important to U.S. national security. The incident likely underscores the increasing and highly damaging risk of insider threats.

DEEP AND DARK WEB INTELLIGENCE

BreachForums user freezqq: Moderately credible threat actor "freezqq" (also known as "brainkios" on DarkForums) has advertised 2,000 lines of credentials for remote desktop protocol (RDP) and virtual private network (VPN) access from various countries on the dark web forums, BreachForums and DarkForums. Freezqq claimed to have collected the credentials through malware log files. The post does not specify the price. The complete 2,000 records of credentials are unlikely to be functional as passwords could be outdated. Personal records, if present, are likely to be more vulnerable than corporate records due to lack of security measures.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-1470 and CVE-2026-0863: N8n has patched two remote code execution (RCE) vulnerabilities. CVE-2026-1470 is a critical flaw that enables authenticated users to bypass sandbox restrictions and execute arbitrary code on the underlying host. CVE-2026-0863 is a high-severity flaw that enables sandbox escape via the Python Code node. Unpatched instances are likely vulnerable to complete compromise, risking the exposure of sensitive workflows and stored credentials.

Affected products: N8n versions prior to 1.123.17, 2.4.5, and 2.5.1 (for CVE-2026-1470) and versions prior to 1.123.14, 2.3.5, and 2.4.2 (for CVE-2026-0863).