Notepad++ updater installed malware

Status
Not open for further replies.
Wrecker4923 said:
I don't know that; the original security researcher said "East Asia." Since it's geospecific, I was wondering about how and the IP addresses, since so far, they have identified the problems related to the Autoupdate mechanism only (still unclear mechanism of redirection, weak .exe validation, and no PHP validation).
Click to expand...
Beaumont speculates threat actors may have intercepted traffic at the ISP level to deliver malicious updates, though this would require substantial resources.

securityaffairs.com

Notepad++ fixed updater bugs that allowed malicious update hijacking

Notepad++ addressed an updater vulnerability that allows attackers hijack update traffic due to weak file authentication.
securityaffairs.com securityaffairs.com
Click to expand...
This could explain the locoregional targeting.
 
  • Like
  • Wow
Reactions: Sorrento, Khushal and Wrecker4923
Parkinsond said:
This could explain the locoregional targeting.
Click to expand...
Yeah, that was the original speculation. The developer has since added more details, including 1) a shared compromised server and 2) possibly an internal infrastructure compromise of the hosting service, which appeared to allow ongoing redirection after server access was terminated. That's why they have moved to another hosting service.

The tweet about the GH compromise hasn't been confirmed/substantiated. Bad mark for Windows Central's tweets.

edited: updated about Github account compromise.
 
Last edited:
  • Like
  • Hundred Points
Reactions: Khushal, Zero Knowledge and Parkinsond
Wrecker4923 said:
The tweet doesn't make sense, though. You don't need the dev account takeover to fork. More details needed.
Click to expand...
X timeline is occupied by plethora of data and speculations.

If the culprit is only the update file, it represents no issue for me; except for MS Office and Edge, all apps on my PC are updated by downloading the whole new, offline installer.
 
Last edited by a moderator:
  • Like
  • HaHa
Reactions: Sorrento, Khushal, Zero Knowledge and 1 other person
SeriousHoax said:
I meant to say, of course, they can share their views but rather in their personal social media accounts and such if they want. For example, the Julian Assange case was also political and I have seen the uBO creator Raymond Hill share his views regarding the treatment of Julian Assange on his X account more than once. He was always in support of him. But he never brought those into uBO changelogs or any other uBO-related discussions.
Softwares, especially good free softwares are created for all, used by people of all backgrounds. So bringing politics into them can often create unnecessary problems.
Click to expand...
Yes but the author/dev owns and creates the software, it's their right to make what ever political statement or political view public through their software.

It's only a problem if the content is racist or abusive, but what they choose to promote is up to them. If you don't agree with their views you don't have to use it like many do.
 
  • Like
Reactions: Sorrento, Parkinsond and Khushal
Zero Knowledge said:
Yes but the author/dev owns and creates the software, it's their right to make what ever political statement or political view public through their software.

It's only a problem if the content is racist or abusive, but what they choose to promote is up to them. If you don't agree with their views you don't have to use it like many do.
Click to expand...
I already explained in my initial comment why making software political can put a target on their back. So I'm talking from that sense, not about rights or morality. People even have the right to be racist. So having the rights has nothing to do with it.
Notepad++ is an excellent software which I have been using for a long time; so the quality of the software is more important to me than his desire to add political messages. I hope the dev has tightened the security so that what has happened can be avoided in the future.
 
  • Like
  • +Reputation
  • Hundred Points
Reactions: Sorrento, simmerskool, Virtuoso and 3 others
Khushal said:
www.rapid7.com

The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit

Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom.
www.rapid7.com
Click to expand...
Screenshot_3-2-2026_94935_www.rapid7.com.jpeg


The reported IP "95.179.213.0" description
Screenshot_3-2-2026_95143_www.whatismyip.com.jpeg

www.whatismyip.com

IP WHOIS Lookup

Use the IP WHOIS lookup tool to find the assigned owner, location, and abuse-reporting details of an IP address.
www.whatismyip.com www.whatismyip.com

French, not Chinese!
 
  • Like
  • HaHa
Reactions: Sorrento, Wrecker4923, SeriousHoax and 1 other person
  • Like
  • Applause
  • Thanks
Reactions: Sorrento, Wrecker4923, Berny and 1 other person
harlan4096 said:
securelist.com

The Notepad++ supply chain attack — unnoticed execution chains and new IoCs

Kaspersky GReAT experts discovered previously undocumented infection chains used in the Notepad++ supply chain attacks. The article provides new IoCs related to those incidents which employ DLL sideloading and Cobalt Strike Beacon delivery.
securelist.com securelist.com
Click to expand...

Having checked our telemetry related to this incident, we have been amazed to find out how different and unique were the execution chains used in this supply chain attack. We identified that over the course of four months, from July to October 2025, attackers who have compromised Notepad++ have been constantly rotating C2 server addresses used for distributing malicious updates, the downloaders used for implant delivery, as well as the final payloads.
Click to expand...
Even Kaspersky found something unique and "amazing". 😮 They also repeated IOCs reported by Rapid7, which seems unusual.

We observed three different infection chains overall designed to attack about a dozen machines, belonging to:
  • Individuals located in Vietnam, El Salvador and Australia;
  • A government organization located in the Philippines;
  • A financial organization located in El Salvador;
  • An IT service provider organization located in Vietnam.
Despite the variety of payloads observed, Kaspersky solutions have been able to block the identified attacks as they occurred.
Click to expand...
Nice, now we have more targets that probably don't fit "East Asians":

Khushal said:
www.rapid7.com

The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit

Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom.
www.rapid7.com
Click to expand...
The Rapid7 article also shows telemetry from China, Taiwan, and Japan, but not S. Korea.
 
  • Like
Reactions: Sorrento and Khushal
  • Like
Reactions: Zero Knowledge, Wrecker4923 and Sorrento
Notepad++ provides a summary for the worried:

Important Clarification: Notepad++ Security Incident | Notepad++

notepad-plus-plus.org notepad-plus-plus.org

linking to the former hosting provider, Rapid7, and Kaspersky.

Interestingly, Rapid7's file IOCs have all been picked up by MD, but not by Avast/AVG. I wonder what's up with that. Would Avast's hardened mode protect the targeted users?

Also, interestingly, Kaspersky still manages to capture malicious files that haven't been uploaded to VT. Maybe some targeted users use Kaspersky?
 
  • +Reputation
Reactions: Parkinsond
More info from Unit 42.

unit42.paloaltonetworks.com

Nation-State Actors Exploit Notepad++ Supply Chain

Unit 42 reveals new infrastructure associated with the Notepad++ attack. This expands understanding of threat actor operations and malware delivery.
unit42.paloaltonetworks.com unit42.paloaltonetworks.com

Unit 42 also found that this threat activity is targeting more sectors and more regions than previously reported.

This campaign also affected the following sectors in South America, the U.S., Europe and Southeast Asia:
  • Cloud hosting
  • Energy
  • Financial
  • Government
  • Manufacturing
  • Software development
Notepad++ is a lightweight, open-source code editor and text replacement utility. This tool is widely favored for its speed, extensive plugin ecosystem and unique ability to handle massive data files while persisting sessions that users have not yet saved.

In enterprise environments, Notepad++ often serves as a foundational instrument for system administrators, network engineers and DevOps personnel. These personnel commonly use this tool to modify server configurations, parse heavy system logs and audit code on secure jump boxes where heavier applications are impractical.

This specific user demographic makes Notepad++ a strategically critical target for threat actors. Compromising this single tool allows attackers to effectively bypass perimeter defenses and piggyback into the sessions of the most privileged users in the organization, gaining implicit administrative access to the network's core infrastructure.
Click to expand...
 
  • Applause
  • Like
Reactions: Khushal and Zero Knowledge
  • Like
Reactions: Wrecker4923
Status
Not open for further replies.

You may also like...