Rapid response · 1 MIN READ · AARON WALTON · FEB 2, 2026
TL;DR
- The developer of Notepad++ disclosed an incident where actors identified a means to tamper with the delivery of automatic updates
- Impact is limited, but this is a popular tool among IT professionals and users should be aware
- Initial research from Rapid7 details the indicators of compromise and details of the incident
What happened
The developer of Notepad++ disclosed an incident involving their hosting provider where actors identified a means to tamper with the delivery of automatic updates. The impact is limited.
An actor was able to manipulate the automatic download, resulting in some users receiving malicious payloads. According to several sources (cited below), the attacker was able to direct the download to target specific organizations primarily located in southeast Asia. As a result, though the attack sounds like many could have been impacted, the targeting of the supply chain attack only impacted a small number of organizations.
Why it matters
Based on one report from October, the malware was then used for remote access. Attackers used the malware to pull an additional payload which was staged on the site temp.sh.
Notepad++ is a popular text editing tool among IT professionals. The disclosure of the incident didn’t provide defenders much information other than an incident had occurred. Several sources indicate that the activity was limited to a few specific targets.
IOC
See the analysis and information from Rapid7: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
References
- https://notepad-plus-plus.org/news/hijacked-incident-info-update/
- https://community.notepad-plus-plus.org/topic/27212/autoupdater-and-connection-temp-sh?_=1764189225468
- https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9
