On February 2, 2026, Notepad++'s developers revealed a serious security flaw that affected their update infrastructure This article explores developers revealed security. . A sophisticated supply chain attack was launched against the well-known text editor, which is used by developers all over the world.

The attack went unnoticed for several months. The official statement claims that between June and September 2025, a hosting provider-level incident gave attackers unauthorized access, which allowed them to continue using internal services until December 2025. Over the course of four months, from July to October 2025, threat actors rotated their command and control server addresses, downloaders, and final payloads, exhibiting a remarkable degree of operational sophistication.

Post from the Notepad++ community forums (Source: Securelist) Security teams found detection and analysis especially difficult because attack infrastructure was constantly changing. About a dozen computers owned by people in Vietnam, El Salvador, and Australia, as well as businesses in the Philippines and an IT service provider in Vietnam, were targeted by the compromised update mechanism. During their investigation, Securelist analysts discovered three different infection chains, each exhibiting distinct technical traits and evasion strategies.

The attackers used a variety of frameworks, such as Cobalt Strike Beacon payloads and Metasploit downloaders. Later on, they also used the unique Chrysalis backdoor. Kaspersky security solutions effectively stopped the detected attacks as they happened, despite the wide range of malicious payloads seen during the campaign.

Methodology of Technical Attacks Late July 2025 saw the emergence of the first infection chain, in which hackers used the compromised update infrastructure to spread a malicious NSIS installer. The malicious update.exe file instantly sent system reconnaissance data to attacker-controlled servers via the temp.sh file hosting service when it was run by the genuine Notepad++ updater process. Decompilation of the alien.ini file (Source: Securelist) Before uploading the results using carefully constructed curl commands, this behavior involved running shell commands to collect usernames, running processes, system information, and network connections.

Instead of using the widely used DLL sideloading technique, attackers took advantage of an older ProShow software vulnerability that dates back to the early 2010s. They were able to avoid detection systems that primarily monitor DLL sideloading activities thanks to this strategy.

Two shellcodes were included in the exploit payload: one was used as padding to trick automated analysis systems, and the other decrypted a Metasploit downloader that obtained Cobalt Strike Beacon shellcode from distant servers. By keeping an eye out for NSIS installer deployments and looking for %localappdata%\Temp\ns.tmp directory creation logs, security teams can identify this threat. Organizations should also look for unusual DNS resolutions to the temp.sh domain in network traffic and look for reconnaissance commands like whoami, tasklist, systeminfo, and netstat in system logs.

Additional safeguards against comparable supply chain breaches include monitoring connections to Living-Off-the-Land C2 services and implementing behavioral detection rules for registry autorun modifications.