Understanding the Notepad++ supply chain attack: A detailed analysis

Notepad++ Supply Chain Attack: A Comprehensive Overview

TL;DR: A security breach affecting Notepad++ update infrastructure allowed attackers to deploy malicious payloads from June to December 2025. Various victim organizations, including government and financial institutions, were targeted using multiple sophisticated infection chains.

The Notepad++ developers confirmed a security incident on February 2, 2026, revealing that their update servers were hacked through a vulnerability at the hosting provider. Attackers maintained access for several months, executing targeted attacks through an evolving set of techniques and payloads. Notably, Kaspersky remarked on the creativity of the attackers, who routinely changed their command-and-control (C2) servers and delivery mechanisms, complicating detection and response efforts.

The first established infection chain deployed a malicious updater that manipulated the Notepad++ legitimate updater process to collect and exfiltrate system information before executing a Metasploit-based second-stage payload. This chain identified targets in Vietnam, El Salvador, Australia, and a Philippines government agency. Subsequent chains further modified the payload and delivery methods, successfully executing operations until November 2025.

These attacks leveraged well-known vulnerabilities in the ProShow software and used social engineering tactics to disguise malicious activities within legitimate-looking updates. By doing so, attackers could evade detection and continuously exploit high-profile target environments to gain unauthorized access.

Understanding the complexities of these attacks is critical for organizations that rely on software like Notepad++. The targeted nature of these attacks highlights the need for robust security measures, as adversaries demonstrated a willingness to exploit established trust in software update mechanisms.

With their sophisticated use of legitimate applications for malicious tasks, these incidents stress the importance of comprehensive monitoring strategies combined with threat intelligence feeds to identify unusual behavior, such as unexpected command executions or access to known malicious domains.

Indicators of Compromise (IOCs):

• Malicious Updater URLs:

  • http://45.76.155[.]202/update/update.exe
  • http://45.32.144[.]255/update/update.exe
  • http://95.179.213[.]0/update/update.exe

• Payload Hashes:

  • updater.exe: 8e6e505438c21f3d281e1cc257abdbf7223b7f5a
  • malicious auxiliary file: 06a6a5a39193075734a32e0235bde0e979c27228

• Command & Control URLs:

  • https://cdncheck.it[.]com/api/update/v1
  • https://safe-dns.it[.]com/dns-query

These specific IOCs are vital for network defenders to help identify and respond to related malware activity in their environments.

Click here for the full article