The Seam in Cybersecurity Defenses That Nation-States Keep Exploiting
There is a gap in enterprise security that the industry has been talking around for years without naming it directly. It sits between two disciplines that most organizations treat as separate: Vulnerability management and detection and response.
Jack Dorsey shrinks Block to ‘intelligence‑native’ model, cutting 4,000 jobs
There is a gap in enterprise security that the industry has been talking around for years without naming it directly. It sits between two disciplines that most organizations treat as separate: Vulnerability management and detection and response. Vulnerability management asks what is known to be broken? Detection and response asks what is known to be malicious? Between those two questions is a seam where sophisticated adversaries can operate for months without being seen. The Notepad++ supply chain compromise, disclosed in early February 2026, is the latest example. But it is not the first, and it will not be the last. SolarWinds lived in that same seam for 14 months. The 3CX breach exploited it. So did Codecov. Nation-states and advanced threat actors are not stumbling into this gap by accident. They are studying our defenses and targeting the one place where neither our vulnerability scanners nor our detection tools are watching. Two Disciplines, one Blind Spot The cybersecurity industry has spent two decades building excellent tools for vulnerability management and detection and response. The problem is what falls between them. A vulnerability scanner can only identify software weaknesses tied to a CVE. A detection tool can only flag behavior that looks overtly malicious. Supply chain attacks are specifically designed to be neither: There is no CVE as the source code is clean, and the initial compromise looks like normal software behavior because it rides on top of a legitimate, trusted process. Neither discipline is asking the question that actually matters: Is this software behaving as it should? That is a runtime behavior question. It requires understanding what software normally does as it runs and alerting when it deviates. Right now, almost nobody is considering that layer. Notepad++ as a Case Study The Notepad++ incident illustrates the seam almost perfectly. Between June and December 2025, threat actors from the Lotus Blossom group compromised the shared hosting provider that served Notepad++’s update infrastructure. They did not touch the source code. They hijacked the update mechanism at the hosting layer, selectively redirecting targeted users to malicious payloads. Consider what each side of the seam could see. A vulnerability scanner would have found nothing actionable. There was no CVE during the attack because the code itself was not vulnerable. The exploitable condition was that the updater did not verify signatures on downloaded installers, a process weakness that no scanner is designed to detect. An EDR platform would not have flagged the initial compromise either. A trusted process, the legitimate Notepad++ updater, made a network request to the legitimate Notepad++ domain. The response was intercepted at the hosting layer and redirected to a malicious payload. To the EDR, it looked like a software update. Expected behavior. No alert. By the time the attack reached a stage where detection tools might engage, the attackers had already achieved code execution — and the attackers knew this. They rotated their entire infection chain monthly to avoid building up detectable patterns that the D&R stack relies on. Six months of dwell time. Not because the defenders lacked tools, but because the tools they had were not designed to catch an attack that lives in the space between a known vulnerability and a known indicator of compromise. A Pattern, not an Anomaly Every major supply chain attack from the past five years fits this pattern. SolarWinds compromised a build process, not source code — and the malicious update was signed with the legitimate SolarWinds certificate. No CVE at the point of compromise. No detection trigger until months later. The 3CX breach came through a compromised upstream dependency, again with no CVE and behavior that looked like a normal update. The Codecov incident involved tampering with a CI/CD script that was trusted by thousands of organizations. In every case, the attackers operated inside the same seam. The Notepad++ attack was attributed to Chinese state-sponsored actors, and the targeting pattern supports that assessment. But the playbook is not unique to any nation-state. Russia used the same approach with SolarWinds. Every sophisticated adversary has identified the software supply chain as the highest-leverage attack surface in enterprise security, and they all understand that the gap between vulnerability management and detection is where they face the least resistance. This is not going to slow down. As AI accelerates the creation of internal tools and custom software that will never receive a CVE, the universe of software that lives entirely outside vulnerability management’s field of view is growing. The seam is getting wider. Closing the Gap Closing this seam requires a layer of visibility that most organizations do not have today: Runtime behavioral monitoring of software in production. Not scanning for known vulnerabilities. Not waiting for malicious indicators. Watching what software actually does and flagging when it deviates from expected behavior. In practice, this means understanding which processes make which network connections, what child processes they spawn, which libraries they load and whether any of that has changed. It means knowing whether the software on your endpoints is signed, whether certificates are current and whether update mechanisms verify integrity before executing what they download. It means baselining software behavior across your environment so that when a handful of endpoints start acting differently from the rest, you know about it within hours rather than months. None of these are hypothetical capabilities. The telemetry exists. The challenge is that the cybersecurity industry has organized itself around two distinct disciplines, vulnerability management and detection and response and built tool chains optimized for each. The behavioral layer between them has been nobody’s job. Developer machines are a good example of where this hits the hardest, because the people using them legitimately need broad access, which makes any compromise high-impact. But the same gap applies to any software that updates itself, loads plugins or connects to external infrastructure, which, at this point, is most of it. What Comes Next The Notepad++ compromise is not an outlier. It is a preview. The defenses the industry has built over the past two decades are good at what they were designed to do. However, they were not designed for attacks that carry no CVE and look like legitimate software behavior until it is too late. The seam between vulnerability management and detection has been an open secret in security for years. Until we close that gap, adversaries will keep operating inside it.
About Author
