When Updates Become Weapons: The Notepad++ Supply Chain Incident

In early February 2026, the developers of Notepad++ disclosed a previously unnoticed supply chain compromise affecting the application’s update infrastructure. The breach allowed attackers to distribute malicious updates disguised as legitimate software releases, resulting in targeted infections across multiple countries. The incident persisted for several months in 2025 and involved multiple evolving execution chains, making detection difficult and highlighting the risks associated with trusted software update mechanisms.

Severity: High

Initial Compromise And Timeline

The attack originated from a hosting provider–level compromise of Notepad++’s update infrastructure, which occurred between June and September 2025. Although the hosting issue was reportedly resolved, attackers retained access to internal services until December 2025. Active malicious update deployments were observed from late July through late October 2025, after which no new infections were identified.

Attack Strategy And Targeting

Rather than indiscriminate mass distribution, the attackers conducted a highly targeted campaign, infecting approximately a dozen systems. Victims included:

• Government entities (notably in the Philippines),
• Financial organizations,
• IT service providers,
• Individual developers and users.

This selective targeting suggests a covert espionage-oriented operation rather than financially motivated malware distribution.

Malicious Update Mechanism

Attackers weaponized the legitimate Notepad++ updater process, delivering NSIS-based malicious installers from compromised update URLs. Because updates were retrieved and executed through trusted channels, victims had no immediate indication of compromise.

Evolving Infection Chains

The report identifies three distinct infection chains, each introduced to evade detection:

• Chain #1 (July–August 2025):
  • Focused on system reconnaissance and data exfiltration using shell commands, with results uploaded to public file-hosting services. It abused legitimate software (ProShow) to execute an exploit that ultimately deployed a Cobalt Strike Beacon.
• Chain #2 (September 2025, resurfacing in October):
  • Expanded reconnaissance, changed working directories, and leveraged legitimate Lua interpreter components to load shellcode directly into memory. This chain also delivered Cobalt Strike Beacons, but with modified infrastructure and C2 endpoints.
• Chain #3 (October 2025):
  • Introduced a new update server and relied on DLL sideloading within a legitimate Bluetooth service executable. Instead of Cobalt Strike as the primary payload, this chain deployed a custom backdoor named Chrysalis, a technique commonly associated with advanced, Chinese-speaking threat actors.

Tooling And Command-And-Control

• Across the campaign, attackers continuously rotated: Update delivery IPs and URLs, C2 domains, Payload formats and loaders.
• They relied heavily on Cobalt Strike, Metasploit-based downloaders, & custom shellcode, encrypting configurations and using benign-looking domains to blend into normal traffic.

Recommendations

1. It is recommended to download v8.9.1 (from https[:]//notepad-plus-plus.org) and run the installer to update your Notepad++.
2. Monitor legitimate updater processes (GUP.exe) for anomalous actions such as shell command execution of whoami, tasklist, systeminfo, netstat.
3. Check network traffic logs for DNS resolutions of the temp[.]sh domain, which is unusual to observe in corporate environments. Also, it is beneficial to conduct a check for raw HTTP traffic requests that have a temp[.]sh URL embedded in the user agent.
4. Check systems for deployments of NSIS installers having below hash values. This can be done by looking for logs related to creations of the %localappdata%\Temp\ns.tmp directory.
   8e6e505438c21f3d281e1cc257abdbf7223b7f5a
   573549869e84544e3ef253bdba79851dcde4963a
   d7ffd7b588880cf61b603346a3557e7cce648c93
5. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/d1b40bacf8afe2c293415b2ec8b6e8fe1b850a55b83cad603eab993b66d05aaf/iocs

Source:

• https://securelist.com/notepad-supply-chain-attack/118708/
• https://notepad-plus-plus.org/news/hijacked-incident-info-update/
• https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.