Sophos Endpoint in action: Blocking a novel supply chain attack

Sophos describes a May 6–7, 2026 watering‑hole/supply‑chain compromise of the JDownloader download site where attackers swapped legitimate Windows installers for trojanized binaries (which reportedly disabled Microsoft Defender). The report highlights how Sophos Endpoint’s Kernel32Trap mitigation (targeting MITRE ATT&CK T1027.007 dynamic API resolution) blocked execution on customer endpoints, prevented deployment of the second‑stage payload, and contrasts this event with a similar CPU‑Z incident.