On February 2, 2026, developers of Notepad++ announced a significant security breach impacting the update infrastructure of the widely utilized text editor. The incident, a complex supply chain attack, remained undetected for several months, affecting users globally.
Details of the Cybersecurity Incident
The breach was facilitated through an incident at the hosting provider level, granting attackers unauthorized access from June to September 2025. This access allowed them to infiltrate internal systems until December 2025. The attack was marked by its operational sophistication, with perpetrators frequently changing command and control servers, downloaders, and final payloads from July to October 2025.
Impact and Analysis of the Attack
This breach targeted around a dozen individual machines in Vietnam, El Salvador, and Australia, alongside organizations in the Philippines and a Vietnamese IT service provider. Securelist analysts identified three distinct infection chains, each showcasing unique technical traits and evasion strategies.
The attackers employed various frameworks, including Metasploit downloaders and Cobalt Strike Beacon payloads, integrating the custom Chrysalis backdoor in later stages. Despite the diverse range of malicious payloads, Kaspersky’s security solutions managed to block the detected attacks.
Technical Insights into the Attack Methodology
The initial infection chain surfaced in late July 2025, involving a malicious NSIS installer distributed via the compromised update mechanism. When executed by the genuine Notepad++ updater, this installer sent system reconnaissance data to attacker-controlled servers through the temp.sh file hosting service.
Instead of the typical DLL sideloading, attackers leveraged an older vulnerability in ProShow software from the early 2010s, effectively bypassing modern detection systems. The exploit payload included two shellcodes, one as padding and the other decrypting a Metasploit downloader to fetch Cobalt Strike Beacon shellcode.
Security professionals can detect such threats by monitoring NSIS installer deployments and inspecting network traffic for unusual DNS resolutions to the temp.sh domain. Additionally, examining system logs for reconnaissance commands and implementing behavioral detection rules can fortify defenses against such supply chain attacks.
Stay updated with our latest news by following us on Google News, LinkedIn, and X, and set CSN as a preferred source in Google.
