• UPD 11.02.2026: added recommendations on how to use the Notepad++ supply chain attack rules package in our SIEM system. • Introduction On February 2, 2026, the developers of Notepad++, a text editor popular among developers, published a statement claiming that the update infrastructure of Notepad++ had been compromised. • According to the statement, this was due to a hosting provider-level incident, which occurred from June to September 2025. • However, attackers had been able to retain access to internal services until December 2025. • Multiple execution chains and payloads Having checked our telemetry related to this incident, we were amazed to find out how different and unique the execution chains used in this supply chain attack were. • We identified that over the course of four months, from July to October 2025, attackers who had compromised Notepad++ had been constantly rotating C2 server addresses used for distributing malicious updates, the downloaders used for implant delivery, as well as the final payloads.
Article Summaries:
- On 2 Feb 2026, Notepad++ developers announced that their update infrastructure had been compromised in a hosting‑provider incident that ran from June to September 2025, with attackers maintaining access to internal services until December 2025. Between July and October 2025, malicious updates were distributed through rotating C2 servers, targeting roughly a dozen machines in Vietnam, El Salvador, Australia, the Philippines, and a financial organization. Three distinct infection chains were identified, each using unique payloads and delivery methods; Kaspersky’s solutions blocked the attacks as they occurred. The article also publishes previously unknown IoCs and offers guidance on applying Notepad++ supply‑chain‑attack rules in SIEM systems.
Sources: