Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreid4bs6jols5nzwdal63ozffzco3netr2qoh6cn4gtfazsbmmgzyhy",
    "uri": "at://did:plc:7vacwiv4432xhhagpfni4cjw/app.bsky.feed.post/3me2w5lboy4j2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreihihxhmnovw2dqoye4auvdcza5o5su7h3vagwf2lnxf5mmcjfps4m"
    },
    "mimeType": "image/webp",
    "size": 31412
  },
  "description": "Updated May 2026\n\nNotepad++ update servers were compromised from June through December 2025 by a Chinese state-sponsored threat group. The attackers hijacked the hosting infrastructure to deliver custom backdoors and Cobalt Strike payloads to targeted organisations across government, finance, and IT sectors.\n\nMany of us use Notepad++ for log analysis, config editing, or code review, you need to verify your installation. Here is what happened, how to check if you are affected, and what defenders ",
  "path": "/notepad-supply-chain-attack/",
  "publishedAt": "2026-02-04T22:25:01.000Z",
  "site": "https://blog.cyberdesserts.com",
  "tags": [
    "Subscribe to CyberDesserts",
    "Notepad RCE",
    "attackers exploited",
    "npm security threats",
    "Gartner supply chain security retrospective",
    "Subscriber Resources",
    "https://notepad-plus-plus.org/news/hijacked-incident-info-update/",
    "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/",
    "https://securelist.com/notepad-supply-chain-attack/118708/"
  ],
  "textContent": "_Updated May 2026_\n\n* * *\n\nNotepad++ update servers were compromised from June through December 2025 by a Chinese state-sponsored threat group. The attackers hijacked the hosting infrastructure to deliver custom backdoors and Cobalt Strike payloads to targeted organisations across government, finance, and IT sectors.\n\nMany of us use Notepad++ for log analysis, config editing, or code review, you need to verify your installation. Here is what happened, how to check if you are affected, and what defenders should look for.\n\n**Get updates like this delivered to your inbox.** Subscribe to CyberDesserts for practical security insights, no fluff.\n\n## What Happened\n\nThis was not a vulnerability in Notepad++ itself. Attackers compromised the shared hosting provider that hosted the Notepad++ website and update infrastructure. According to the hosting provider's statement, the server was fully compromised until September 2, 2025. Even after losing direct server access, attackers retained credentials to internal services until December 2, 2025, allowing them to continue redirecting update traffic.\n\nThe attack specifically targeted the update mechanism. Older versions of Notepad++ did not cryptographically verify that updates actually came from legitimate sources. Attackers exploited this gap to serve malicious installers to selected targets.\n\nRapid7's MDR team discovered a previously undocumented backdoor they named Chrysalis during incident response on an affected system. Ivan Feigl and the Rapid7 Labs team published detailed malware analysis showing sophisticated capabilities including encrypted C2 communications, multiple persistence mechanisms, and a full interactive reverse shell.\n\nKaspersky's GReAT team independently identified three distinct infection chains used between July and October 2025. Georgy Kucherin and Anton Kargin documented how attackers rotated their delivery methods, downloaders, and final payloads roughly once per month to avoid detection.\n\n## Who Was Targeted\n\nThis was a targeted operation, not mass distribution. Kaspersky's telemetry identified attacks against:\n\n  * A government organisation in the Philippines\n  * A financial organisation in El Salvador\n  * An IT service provider in Vietnam\n  * Individual users in Vietnam, El Salvador, and Australia\n\n\n\nMultiple security researchers assessed the threat actor as Lotus Blossom, a Chinese state-sponsored group active since 2009. The selective targeting explains why most Notepad++ users never encountered the malicious updates.\n\n* * *\n\nSee the related Notepad RCE issue reported recently.\n\n## Why Developer Workstations Are the Blindspot\n\nThe C2 domains used in this campaign were deliberately chosen to blend into normal developer traffic: cdncheck.it.com, safe-dns.it.com, api.wiresguard.com, api.skycloudcenter.com. These look like legitimate infrastructure services.\n\nDeveloper and admin workstations typically have the most permissive network policies in an organisation. They need access to package registries, documentation sites, APIs, and cloud services. This creates exactly the conditions attackers exploited.\n\n**What could have helped:**\n\n  * **Zero trust egress policies** with domain allowlisting rather than default-allow\n  * **DNS monitoring** for unusual resolution patterns or newly registered domains\n  * **Blocking temp.sh** which attackers used to exfiltrate system information\n  * **Network segmentation** that applies to privileged users, not just general endpoints\n\n\n\nThe problem is that most organisations do not apply the same network controls to developer workstations that they apply to standard user endpoints. This attack demonstrates why that assumption is dangerous.\n\n## How to Check If You Are Affected\n\n**Step 1: Check your version**\n\nOpen Notepad++ and go to Help, then About Notepad++. Any version before 8.8.9 lacked the security enhancements that verify update authenticity.\n\n**Step 2: Update immediately**\n\nDownload version 8.9.1 directly from notepad-plus-plus.org. Do not rely on the auto-updater if you are running an old version. Run the installer manually to update.\n\n**Step 3: Check for indicators of compromise**\n\nThe infection chains created specific artifacts that defenders can hunt for.\n\n**File system indicators:**\n\n  * NSIS installer temp directory: `%localappdata%\\Temp\\ns.tmp`\n  * Malicious payload directories: `%appdata%\\ProShow`, `%appdata%\\Adobe\\Scripts`, `%appdata%\\Bluetooth`\n  * Suspicious files: `load`, `alien.ini`, `BluetoothService` in those directories\n\n\n\n**Network indicators:**\n\n  * DNS queries to temp.sh (unusual in corporate environments)\n  * HTTP requests with temp.sh URLs embedded in the User-Agent header\n  * Connections to: 45.76.155.202, 95.179.213.0, 45.77.31.210\n  * Domains: cdncheck.it.com, safe-dns.it.com, self-dns.it.com, api.skycloudcenter.com, api.wiresguard.com\n\n\n\n**Command execution patterns:**\n\nThe malware executed reconnaissance commands in sequence: `whoami`, `tasklist`, `systeminfo`, `netstat -ano`. Look for this pattern in endpoint detection logs, particularly when spawned by processes in the Notepad++ directory or %appdata% locations.\n\n## What Changed in the Fix\n\nVersion 8.8.9 introduced certificate and signature verification for downloaded installers. The upcoming version 8.9.2, expected within a month, will add XMLDSig signing of the update manifest XML and enforce verification by default.\n\nThe core issue was trust without verification. Older versions trusted that anything served from the update URL was legitimate. The fix ensures cryptographic verification of both the update metadata and the installer binary itself.\n\n## The Bigger Picture\n\nThis attack follows the same pattern seen in software supply chain compromises across the ecosystem. Attackers target the distribution mechanism rather than the code itself. They compromise update servers, package registries, or build pipelines to reach downstream users who trust those sources.\n\nFor a deeper look at supply chain security patterns and defences, see our coverage of npm security threats and the Gartner supply chain security retrospective.\n\nAs we have seen many times the developer toolchain is part of your attack surface. Every software update mechanism represents a trust relationship. If that trust is not verified cryptographically, you are depending on the security of every system between the vendor and your endpoint.\n\n## Key Takeaways\n\n  * **Update to version 8.9.1 immediately** by downloading directly from the official site\n  * **Hunt for detection signals** including temp.sh DNS queries, the shell command sequence, and suspicious %appdata% directories\n  * **Review egress controls** on developer and admin workstations where permissive policies enabled this attack\n  * **Audit update mechanisms** in your software deployment pipeline for cryptographic verification\n\n\n\nSubscriber Resources\n\n* * *\n\n_Last updated: February 2026_\n\n## References and Sources\n\n  1. **Notepad++ Development Team**. (2026). _Hijacked Incident Info Update_. Official disclosure including hosting provider statement and remediation timeline. https://notepad-plus-plus.org/news/hijacked-incident-info-update/\n  2. **Rapid7 Labs**. (2026). _The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's Toolkit_. Technical malware analysis by Ivan Feigl covering initial access, DLL sideloading, and backdoor capabilities. https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/\n  3. **Kaspersky GReAT**. (2026). _The Notepad++ Supply Chain Attack: Unnoticed Execution Chains and New IoCs_. Analysis by Georgy Kucherin and Anton Kargin documenting three infection chains and comprehensive indicator list. https://securelist.com/notepad-supply-chain-attack/118708/\n\n\n\n* * *\n\nSubscribe for Updates\n\nSupply chain attacks are evolving. Subscribers get notified when new threats emerge and when we publish detection guidance. No sales pitches, no fluff.\n\n* * *",
  "title": "Notepad++ Compromised for 6 Months: Check Your Version Now",
  "updatedAt": "2026-05-15T00:18:46.412Z"
}