A recent supply chain attack on Notepad++, a popular text editor, has revealed a sophisticated and multi-faceted intrusion. From late July to October 2025, attackers exploited the update infrastructure, compromising the hosting provider and maintaining access to internal services until December 2025. The attack involved multiple execution chains and payloads, targeting individuals and organizations across Vietnam, El Salvador, Australia, and the Philippines.

The first execution chain, identified in late July, used a malicious Notepad++ update hosted at a specific URL. This update deployed a NSIS installer that sent system information to attackers and executed a second-stage payload. The attack leveraged a vulnerability in ProShow software, bypassing the need for DLL sideloading. The payload eventually delivered a Cobalt Strike Beacon for further exploitation.

A second execution chain was observed in September, using a different update URL and payload. This iteration also involved system information exfiltration and payload delivery, showcasing the attackers' ability to adapt and persist. Despite these efforts, Kaspersky solutions successfully blocked the attacks, demonstrating the importance of robust cybersecurity measures.

This incident underscores the need for vigilance in software supply chains. As developers and organizations rely heavily on update mechanisms, such attacks highlight the vulnerability of trusted sources. Moving forward, enhanced security protocols and continuous monitoring are essential to prevent similar breaches.