The popular text editor Notepad++ has been the victim of a sophisticated supply chain attack that compromised its update infrastructure, according to a February 2, 2026, disclosure by its developers. This breach, which allowed attackers to distribute targeted malware, remained undetected for several months and highlights the ongoing threats to software supply chains. The incident affected approximately a dozen machines across Vietnam, El Salvador, and Australia, as well as organizations in the Philippines and an IT service provider in Vietnam.
Attackers gained unauthorized access to Notepad++’s internal services through a hosting provider incident that occurred between June and September 2025, maintaining persistent access until December 2025. The campaign demonstrated significant operational sophistication, with threat actors continuously rotating their command and control servers, downloaders, and final payloads between July and October 2025, making detection and analysis particularly challenging for security teams. Kaspersky security solutions successfully blocked the identified attacks as they occurred.
Notepad++ Supply Chain Attack Details
According to Securelist analysts, who investigated the incident, three distinct infection chains were identified, each employing unique technical characteristics and evasion techniques. The attackers leveraged frameworks such as Metasploit downloaders and Cobalt Strike Beacon payloads. In later stages of the attack, they deployed a custom backdoor known as Chrysalis.
The initial infection chain surfaced in late July 2025. Threat actors utilized the compromised Notepad++ update infrastructure to distribute a malicious NSIS installer. When executed by the legitimate Notepad++ updater process, the malicious update.exe file initiated system reconnaissance. It gathered information including usernames, running processes, system details, and network connections, sending this data to attacker-controlled servers via the temp.sh file hosting service.
Instead of relying on common DLL sideloading techniques, the threat actors exploited an older vulnerability in ProShow software, dating back to the early 2010s. This method was likely chosen to bypass modern detection systems that heavily monitor DLL sideloading activities. The exploit payload contained two shellcodes: the first acted as padding to confuse automated analysis tools, while the second decrypted a Metasploit downloader. This downloader then retrieved the Cobalt Strike Beacon shellcode from remote servers.
The continuous modification of the attack infrastructure over a four-month period presented a significant obstacle for security professionals attempting to track and neutralize the threats. This evolving nature of the campaign underscores the dynamic and adaptive tactics employed by sophisticated threat actors in supply chain attacks.
Technical Indicators and Detection
Security teams can detect elements of this threat by monitoring for NSIS installer deployments. This can be achieved by checking for the creation of the %localappdata%Tempns.tmp directory in system logs. Additionally, organizations should inspect network traffic for unusual DNS resolutions to the temp.sh domain.
Further detection measures include examining system logs for reconnaissance commands such as whoami, tasklist, systeminfo, and netstat. Implementing behavioral detection rules that specifically monitor for registry autorun modifications can also enhance defense. Monitoring connections to “Living-Off-the-Land” command and control (C2) services provides another layer of protection against similar supply chain compromises.
The successful mitigation of these attacks by Kaspersky solutions demonstrates the importance of robust endpoint detection and response (EDR) capabilities. The incident serves as a stark reminder of the vulnerabilities inherent in software update mechanisms and the critical need for continuous vigilance and layered security approaches.
Moving forward, the Notepad++ development team is likely to review and strengthen its update infrastructure security protocols. Users are advised to ensure they have updated their Notepad++ version to a secure build and to remain aware of future security advisories. The ongoing threat of supply chain attacks means that software developers and users alike must remain proactive in safeguarding digital assets.