Skip to main content

Notepad++ Update Mechanism Hijacked

  • February 2, 2026
  • 12 comments
  • 103 views
Geoff Burke
Forum|alt.badge.img+22

This is not good news for the large number of people who love to use Notepad++

When I was running production Veeam environments it was my go to text editor for logs, notes and various other activities. 

It would seem a state actor was able through a 3rd party to gain access and after June 2025 until November the activity occured.

Read more here:

 

https://thehackernews.com/2026/02/notepad-official-update-mechanism.html

VMCA2024, VMCE2023, VMCE2024-SP,CKA, LFCS

      12 comments

      Chris.Childerhose
      Forum|alt.badge.img+21
      • Chris.Childerhose
      • Veeam Legend, Veeam Vanguard
      • February 3, 2026

      Wow that is scary.  I use this program daily for logs, etc. with Veeam as it is such an amazing tool for search.  Here is hoping they patched it.

      Chris Childerhose (Enterprise Architect) - VMCA | VMCE | VMCE-SP | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 7* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
        vAdmin
        Forum|alt.badge.img+2
        • vAdmin
        • Influencer
        • February 3, 2026

        Yes, it is widely used essential tools like Putty.

        From this official website: https://notepad-plus-plus.org/news/hijacked-incident-info-update/ looks like the problem has been mitigated after 2nd December 2025.

        So it is better to just manually upgrade the existing version to v8.9.1

         

        Microsoft Azure Solutions Architect Expert, VMware Certified Professional - DCV 7, Citrix Certified Professional Virtualization (CCP-V), ITIL Practitioner, Certified Cybersecurity
          Chris.Childerhose
          Forum|alt.badge.img+21
          • Chris.Childerhose
          • Veeam Legend, Veeam Vanguard
          • February 3, 2026

          Good to see they addressed it end of last year.  Time to check my version and update if needed.

          Chris Childerhose (Enterprise Architect) - VMCA | VMCE | VMCE-SP | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 7* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
            dips
            Forum|alt.badge.img+7
            • dips
            • On the path to Greatness
            • February 3, 2026

            Rapid7 has a great write up:

            The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit

            Indicators of compromise (IoCs) as follows:

            File indicators

            Note: data may appear cut-off or hidden due to the string lengths in column 2. You can copy the full string by highlighting what is visible.

            update.exe

            a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9

            [NSIS.nsi]

            8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e

            BluetoothService.exe

            2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924

            BluetoothService

            77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e

            log.dll

            3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad

            u.bat

            9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600

            conf.c

            f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a

            libtcc.dll

            4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906

            admin

            831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd

            loader1

            0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd

            uffhxpSy

            4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8

            loader2

            e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda

            3yzr31vk

            078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5

            ConsoleApplication2.exe

            b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3

            system

            7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd

            s047t5g.exe

            fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a

            Network indicators

            95.179.213.0

            api[.]skycloudcenter[.]com

            api[.]wiresguard[.]com

            61.4.102.97

            59.110.7.32

            124.222.137.114

            MITRE TTPs

            ATT&CK ID

            Name

            T1204.002

            User Execution: Malicious File

            T1036

            Masquerading

            T1027

            Obfuscated Files or Information

            T1027.007

            Obfuscated Files or Information: Dynamic API Resolution

            T1140

            Deobfuscate/Decode Files or Information

            T1574.002

            DLL Side-Loading

            T1106

            Native API

            T1055

            Process Injection

            T1620

            Reflective Code Loading

            T1059.003

            Command and Scripting Interpreter: Windows Command Shell

            T1083

            File and Directory Discovery

            T1005

            Data from Local System

            T1105

            Ingress Tool Transfer

            T1041

            Exfiltration Over C2 Channel

            T1071.001

            Application Layer Protocol: Web Protocols (HTTP/HTTPS)

            T1573

            Encrypted Channel

            T1547.001

            Boot or Logon Autostart Execution: Registry Run Keys

            T1543.003

            Create or Modify System Process: Windows Service

            T1480.002

            Execution Guardrails: Mutual Exclusion

            T1070.004

            Indicator Removal on Host: File Deletion
            Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Former Cyber Security Space VUG Leader
              Link State
              Forum|alt.badge.img+11
              • Link State
              • Veeam Legend
              • February 3, 2026

              Thank you ​@Geoff Burke  for share.

              Veeam: VMCA | VMCE | VMXP | Veeam Legend - Microsoft: MVP | MCITP | MCP | MCSA | 2008 R2 | 2012R2 | 2016 | MCSE Core Infrastructure | MCSE Cloud Platform - Azure: AZ900 | AZ104| AZ500|AZ305 - AWS Cloud Practitioner - VMWare: VCP-DCV Vsphere 7.x - Cisco: CCNA (Expired) | ‪@linkstate.bsky.social‬
                DaStivi
                Forum|alt.badge.img+1
                • DaStivi
                • Veeam Legend
                • February 3, 2026

                As far as I understood from the reports, Notepad++ itself was not directly compromised. Instead, a hosting provider that served files for the Notepad++ updater was breached.

                When specific IP addresses requested metadata files, the attackers delivered manipulated responses and redirected certain update requests to malicious locations.

                Pretty scary overall—it really makes you think about where and how you use certain tools. But honestly, this kind of supply‑chain attack could happen anywhere… even to first‑party tools or operating system update services.

                Edit: And running Notepad++ as Administrator—which is often required when editing system configuration files—obviously is a huge issue here. If the application is running elevated, the updater runs elevated too, which means any compromised update payload is also executed with admin privileges. 🫣

                  CMF
                  Forum|alt.badge.img+8
                  • CMF
                  • Veeam Legend
                  • February 3, 2026

                  Thanks for sharing ​@Geoff Burke !

                  Chalid Mohamed Fathallah | Veeam Legend | VMCE 2024 | VMCA 2025 | VCP-DCV | VCE-vSan
                    Iams3le
                    Forum|alt.badge.img+12
                    • Iams3le
                    • February 3, 2026

                    As far as I understood from the reports, Notepad++ itself was not directly compromised. Instead, a hosting provider that served files for the Notepad++ updater was breached.

                    When specific IP addresses requested metadata files, the attackers delivered manipulated responses and redirected certain update requests to malicious locations.

                    Pretty scary overall—it really makes you think about where and how you use certain tools. But honestly, this kind of supply‑chain attack could happen anywhere… even to first‑party tools or operating system update services.

                    Edit: And running Notepad++ as Administrator—which is often required when editing system configuration files—obviously is a huge issue here. If the application is running elevated, the updater runs elevated too, which means any compromised update payload is also executed with admin privileges. 🫣

                    … this shows that even trusted open-source software can be compromised at the infrastructure level, enabling targeted malware delivery via legitimate update channels. It underlines the need for strong cryptographic update verification, hardened hosting, and end-to-end integrity checks.

                    [Microsoft MVP 3x | Veeam Vanguard ("26) | vExpert 6x | Cisco Champion 3x | Object First Ace 2x] | Veeam Legend ('21 -'26)
                      Andanet
                      Forum|alt.badge.img+12
                      • Andanet
                      • Veeam Legend
                      • February 3, 2026

                      After read the article I’m thnking best actions to do:

                      So I’ve decided to have a clean fresh installation, so I applied these step:

                      • Uninstall Notepad++ from the Control Panel.
                      • Manually delete the installation folder in C:\Program Files\Notepad++ and also %APPDATA%\Notepad++ 
                      • Download the latest version 8.9.1 from https://notepad-plus-plus.org/
                      • Install the new version.

                      What do you think? Now can be usefully to use another editor to have a secure work?

                      Just evaluating VSCodium

                       

                      Antonio D'Andrea | VMCE 2021 | VMCA 2022 | VMTSP2024 | Veeam Legend | VUG Italy Leader | Object First Ace | VCP6-DCV | I want it written on my tombstone "Please start a restore to the last valid backup"
                        AndrePulia
                        Forum|alt.badge.img+9
                        • AndrePulia
                        • Veeam Vanguard
                        • February 3, 2026

                        @Geoff Burke It's really important to know this, thank you for sharing.

                        André Pulia - VMCA | VMCE | VMCT |Veeam Vanguard | VUG Leader Brazil | ObjectFirst ACE | HPECI | VCI | Nutanix Certified Instructor | Twitter: @andrepulia | Blog Site – https://pulia.com.br | https://www.credly.com/users/andre-pulia
                          Link State
                          Forum|alt.badge.img+11
                          • Link State
                          • Veeam Legend
                          • February 3, 2026

                          After read the article I’m thnking best actions to do:

                          So I’ve decided to have a clean fresh installation, so I applied these step:

                          • Uninstall Notepad++ from the Control Panel.
                          • Manually delete the installation folder in C:\Program Files\Notepad++ and also %APPDATA%\Notepad++ 
                          • Download the latest version 8.9.1 from https://notepad-plus-plus.org/
                          • Install the new version.

                          What do you think? Now can be usefully to use another editor to have a secure work?

                          Just evaluating VSCodium

                           

                           

                          I use portable version.

                          It is preferable to use the portable version.
                          In this specific scenario, using the portable version can reduce the risks associated with the compromised automatic update mechanism.

                          The portable version does not necessarily use WinGUp or the same automatic update mechanism. If you manually download an official zip archive and extract it, no automatic update process is performed. This eliminates the attack vector linked to the compromised updater.

                          Reduces the attack surface on the client side. With portable, you avoid background services that connect to remote servers for updates.

                          regards

                          Veeam: VMCA | VMCE | VMXP | Veeam Legend - Microsoft: MVP | MCITP | MCP | MCSA | 2008 R2 | 2012R2 | 2016 | MCSE Core Infrastructure | MCSE Cloud Platform - Azure: AZ900 | AZ104| AZ500|AZ305 - AWS Cloud Practitioner - VMWare: VCP-DCV Vsphere 7.x - Cisco: CCNA (Expired) | ‪@linkstate.bsky.social‬
                            Link State
                            Forum|alt.badge.img+11
                            • Link State
                            • Veeam Legend
                            • February 5, 2026

                            FYI

                            GitHub - roady001/Check-NotepadPlusPlusIOC: Checks for indicators of compromise related to the Notepad++ supply chain attack.

                            Veeam: VMCA | VMCE | VMXP | Veeam Legend - Microsoft: MVP | MCITP | MCP | MCSA | 2008 R2 | 2012R2 | 2016 | MCSE Core Infrastructure | MCSE Cloud Platform - Azure: AZ900 | AZ104| AZ500|AZ305 - AWS Cloud Practitioner - VMWare: VCP-DCV Vsphere 7.x - Cisco: CCNA (Expired) | ‪@linkstate.bsky.social‬
                              Terms & ConditionsAccessibility statement