The attack: Chinese APT41 got into Notepad++'s update server. August 2025 to January 2026 — every auto-update came with free spyware.

How it worked: You clicked “update” thinking you’re getting security fixes. You were downloading government-grade surveillance tools.

The damage: 2-5 million devices. Remote access. Credential theft. Persistent surveillance.

The embarrassing part: No fancy zero-day exploit. They just… stole the update server password. Most “sophisticated attacks” are just bad password hygiene.

1. The “Panic Audit” Freelancer

   • Businesses are FREAKING OUT → list yourself on Fiverr as “software security auditor” → charge $50-200 to scan their installed apps
   • No expertise needed. Just run their programs against CVE databases. Write a scary PDF.

   Example: A guy in the Philippines does “software hygiene checks” — ₱45,000/month ($800) running free automated scanners and writing reports that sound technical.

2. The “Clean USB” Reseller

   • Portable apps = no auto-updates = no supply chain risk
   • Bundle Notepad++ portable + VS Code portable + other dev tools on USBs → sell as “verified clean toolkits” for $20-50

   Example: Someone in Poland sells “air-gapped developer kits” to government contractors. €35 per USB. 40+ sales monthly.

3. The “Update Manager” Subscription

   • Most businesses have NO CLUE how to safely disable auto-updates
   • Offer monthly “controlled update management” — you manually approve updates after checking them

   Example: IT student in Indonesia charges Rp150,000/month ($10) per business. 23 clients = $230/month for 2 hours of work weekly.

4. The “Breach Playbook” Template Seller

   • Create incident response templates for supply chain attacks → sell on Gumroad/Notion
   • Companies need these for compliance. Nobody wants to write them.

   Example: Blogger in Nigeria made a “Supply Chain Breach Playbook” Notion template after Log4j. 340+ sales at $12 = $4,080 from one weekend.

5. The “Hash Checker” Bot

   • Build a Telegram bot that verifies software downloads match official hashes
   • Crypto people are paranoid AND pay well

   Example: Dev in Brazil built a wallet hash verifier. 0.001 BTC ($40) lifetime. 200+ users in 3 months.

6. The “Awareness Training” Package

   • Record a 45-min explainer on supply chain attacks → sell to HR departments as “compliance training”
   • HR buys anything labeled “awareness training”

   Example: Consultant in Germany sells the same video to SMBs for €200/license. 15 companies bought after this news broke.