1.【軟體漏洞】Notepad++ 遭植入後門，請立即停用自動更新

• 摘要：知名開源文字編輯器 Notepad++ 的更新伺服器遭中國駭客組織 (Lotus Blossom) 攻陷。若使用者執行內建的自動更新，流量會被導向惡意伺服器並下載名為「Chrysalis」的後門程式，導致電腦遭駭客遠端控制。


• 建議行動： 請立即暫停使用 Notepad++ 的自動更新功能。若需更新，請務必手動前往官方網站下載安裝最新的 v8.9.2 版本


• 參考連結：TWCERT/CC 漏洞警訊 (依據 Rapid7 報告彙整) 

2. 【通訊安全】CISA 示警間諜軟體鎖定通訊 App，籲停用簡訊驗證

• 摘要： 美國 CISA 警告，駭客正積極利用釣魚、惡意 QR Code 及「零點擊漏洞」等高階手法，鎖定即時通訊軟體的使用者進行帳號劫持與資料竊取。


• 建議行動： 1. 採用具備「端對端加密 (E2EE)」的通訊軟體。 2. 啟用實體安全金鑰 (如 FIDO) 進行多因子驗證。 3. 強烈建議停用簡訊 (SMS) 接收驗證碼，避免遭攔截或 SIM 卡挾持。


• 參考連結：TWCERT/CC 行動通訊安全指南警訊

3. 【AI 治理】歐洲發布全球通用 AI 資安標準，防禦生成式 AI 新型威脅

• 摘要：歐洲電信標準協會（ETSI）正式發布全球通用的 AI 資安標準（ETSI EN 304 223）。由於傳統防禦無法阻擋「資料毒化」或「提示詞注入」等針對 AI 的新型攻擊，該標準針對生成式 AI 系統，制定了從設計、開發、部署到退役的 13 項核心安全原則，並明確定義了供應鏈中各方（包含終端使用者）的資安責任。


• 建議行動： 校內各單位若有委外開發、採購或自行建置生成式 AI 系統以輔助校務與教學，建議資訊人員與專案承辦人可將此標準納入參考，在系統設計初期即落實資安防護（安全即設計）。


• 參考連結： 歐洲電信標準協會發布 AI 資安標準 (TWCERT/CC 公告)

1. [Software Vulnerability] Notepad++ Backdoored: Disable Auto-Update Immediately

• Summary: The update server of the well-known open-source text editor Notepad++ has been compromised by a Chinese hacker group (Lotus Blossom). If users execute the built-in auto-update, their traffic will be redirected to a malicious server to download a backdoor program named "Chrysalis", allowing hackers to remotely control the computer.


• Action Required: Please immediately suspend the use of the auto-update feature in Notepad++. If an update is needed, be sure to manually visit the official website to download and install the latest v8.9.2 version.


• Reference: TWCERT/CC Vulnerability Alert (Based on Rapid7 Report) 

2. [Communication Security] CISA Warns of Spyware Targeting Messaging Apps, Urges Disabling SMS Verification

• Summary: The US CISA warns that hackers are actively utilizing advanced tactics such as phishing, malicious QR codes, and "zero-click exploits" to target users of instant messaging applications for account hijacking and data theft.


• Action Required: 1. Use messaging applications with End-to-End Encryption (E2EE). 2. Enable physical security keys (e.g., FIDO) for multi-factor authentication. 3. It is strongly recommended to disable SMS for receiving verification codes to prevent interception or SIM swapping.


• Reference: TWCERT/CC Mobile Communications Security Guide Alert

3. [AI Governance] Europe Releases Global AI Cybersecurity Standard to Defend Against Emerging GenAI Threats

• Summary: The European Telecommunications Standards Institute (ETSI) has officially released a globally applicable AI cybersecurity standard (ETSI EN 304 223). Since traditional defenses cannot block new AI-targeted attacks like "data poisoning" or "prompt injection", this standard establishes 13 core security principles for generative AI systems—from design, development, and deployment to retirement—and clearly defines the cybersecurity responsibilities of all parties in the supply chain (including end-users).


• Action Required: If units within the school outsource the development, purchase, or build their own generative AI systems to assist with school administration and teaching, it is recommended that IT personnel and project managers incorporate this standard as a reference to implement cybersecurity protections during the initial system design phase (secure by design).


• Reference: ETSI Releases AI Cybersecurity Standard (TWCERT/CC Announcement)