The first week of February 2026 has delivered a sobering reminder that cybercriminals and state-sponsored threat actors are increasingly targeting the software supply chain—and cryptocurrency developers are squarely in their crosshairs. Two major vulnerabilities disclosed this week, the Notepad++ supply chain compromise attributed to Chinese APT group Lotus Blossom and the critical React Native Metro server vulnerability (CVE-2025-11953), represent a new level of sophistication in attacks that could directly impact the security of crypto wallets, DeFi protocols, and blockchain applications. With Bitcoin trading at approximately $73,020 and Ethereum at $2,144 on February 4, 2026, the financial incentives for attackers have never been greater.
The Exploit Mechanics
The Notepad++ supply chain attack was disclosed on February 2, 2026, when the project maintainer revealed that state-sponsored attackers had compromised the project update infrastructure. According to detailed analysis by Rapid7 Labs, the threat actor—attributed with moderate confidence to the Chinese APT group Lotus Blossom—redirected users downloading updates to malicious servers. The attackers delivered a previously undocumented backdoor called Chrysalis along with custom loaders, including a component named ConsoleApplication2.exe that leverages Microsoft Warbird protection framework to conceal malicious activity. This is particularly concerning for crypto developers because Notepad++ is widely used for editing configuration files, smart contract code snippets, and wallet configuration JSON files.
Simultaneously, hackers were actively exploiting CVE-2025-11953, a critical vulnerability in the Metro server used by React Native developers. This flaw allows attackers to execute arbitrary code on developer machines by intercepting the Metro bundler hot-reload mechanism. React Native is increasingly used in mobile crypto wallet development, making this vulnerability a direct threat to the integrity of wallet software. The attack works by injecting malicious JavaScript into the Metro bundler communication channel, which then executes on the developer machine with full privileges during the development cycle.
Affected Systems
The scope of affected systems is alarming. The Notepad++ compromise affects any Windows user who downloaded updates between the time of the infrastructure breach and the disclosure on February 2. Rapid7 analysis indicates that the Chrysalis backdoor was designed for long-term persistence, suggesting the attackers were seeking sustained access rather than a quick hit. For crypto organizations, this means any developer who used Notepad++ during the compromise window could have had their build environment, signing keys, or wallet seed phrases exposed.
The React Native Metro vulnerability affects all versions of the Metro bundler prior to the patch. Given that React Native is the framework behind major mobile crypto wallets including Trust Wallet, Argent, and numerous DeFi applications, the potential blast radius extends to millions of end users. Any wallet application built on a compromised development machine could contain backdoored code, transaction interception logic, or weakened cryptographic implementations.
Additionally, the cybersecurity landscape on February 4 included disclosures about Google Looker vulnerabilities allowing total system takeover, SolarWinds Web Help Desk RCE being actively exploited, and an AI toy device exposing children data—painting a picture of systemic vulnerability across the software ecosystem.
The Mitigation Strategy
Organizations and individual developers should take immediate action across several fronts. First, audit your development environment: if Notepad++ was installed on any machine used for crypto development, immediately isolate that machine, rotate all credentials that may have been accessible, and perform a full forensic analysis. Replace Notepad++ with alternatives like VS Code with verified extensions or Sublime Text while the supply chain integrity is being verified.
For React Native developers, immediately update the Metro bundler to the latest patched version. Review your dependency tree for any packages that may have been served from a compromised cache. Implement reproducible builds so that any tampering in the development pipeline can be detected by comparing build outputs against known-good hashes.
At the organizational level, implement software bill of materials (SBOM) tracking for all development tools, not just production dependencies. Use hardware security keys for all developer authentication and code signing. Deploy endpoint detection and response (EDR) solutions configured to monitor for the indicators of compromise associated with Chrysalis and the Metro exploit payloads.
Lessons Learned
The convergence of these two supply chain attacks in a single week underscores a fundamental shift in the threat landscape. Attackers have realized that targeting the tools developers trust is often more effective than attacking the final product directly. For the crypto industry, where a single compromised private key or backdoored wallet can result in millions of dollars in losses, this lesson is particularly urgent. The notion that if you cannot trust your editor, you cannot trust your code has moved from theoretical concern to practical reality.
The Notepad++ attack also highlights that open-source projects with limited security budgets remain attractive targets. The crypto community should consider directing more resources toward securing the development toolchain—not just auditing smart contracts, but auditing the tools used to write them.
User Action Required
All crypto developers should take the following steps immediately: update all development tools to their latest versions, verify the integrity of installed software using checksums or signatures where available, review recent Git history on all repositories for unauthorized changes, rotate any credentials or API keys that were accessible from potentially compromised machines, and implement multi-factor authentication on all development accounts. Users of crypto wallets should verify they are running the latest versions and monitor official channels for any security advisories related to these supply chain compromises.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified security professionals for your specific situation.
Lotus Blossom going after Notepad++ update infra is next level. they literally intercepted the download channel and nobody noticed for days
for anyone building on React Native: the Metro server was accepting connections from any origin on localhost. update your configs people
the localhost CORS issue on Metro has been around forever. React Native team documented it as a known limitation. problem is most devs never change defaults
BTC at $73K and ETH at $2,144 while supply chain attacks specifically target wallet devs. the financial incentive to compromise dev tooling is massive now
The Rapid7 analysis is worth reading in full. The Chrysalis backdoor they delivered had specific modules for harvesting wallet seed phrases from clipboard. This was targeted at crypto users.
clipboard harvesting is particularly nasty because most crypto users copy paste addresses and seeds without thinking. chrysalis was built for one purpose
chrysalis harvesting seed phrases from clipboard is terrifying. wonder how many people got drained before it was caught
Renata S. the Chrysalis clipboard module was specifically targeting 12 and 24 word seed formats. whoever built it knew exactly what to harvest
Lotus Blossom compromising the Notepad++ update binary is textbook supply chain. devs sign binaries but if the download server is hijacked signatures dont help
CVE-2025-11953 on Metro accepting any origin is the kind of bug that lives for years because localhost feels safe. default configs kill