+- PowerBASIC Users Meeting Point (http://pump.richheimer.de)
+-- Forum: Miscellaneous (http://pump.richheimer.de/forumdisplay.php?fid=11)
+--- Forum: This and that - friendly chat (http://pump.richheimer.de/forumdisplay.php?fid=12)
+--- Thread: Notepad++ hacked (/showthread.php?tid=116)
Notepad++ hacked - Stanley Durham - 03.02.2026
Chinese Hackers Remote Executed Code Via Notepad++ for 6 Months
_______________________________________________________
Please do not post any Youtube links (and others) without comment.
Thank you
Albert (PUMP admin)
RE: Notepad++ hacked - Stanley Durham - 03.02.2026
I did a Google AI mode search, “Notepad++ hacked”
Amongst the information was this.
“Check for Indicators: Advanced users can check for a hidden directory named Bluetooth in the %AppData% folder, which was a known behavior of the malicious update script.”
So, I asked how to do that.
Method 3: Using Command Prompt (Most Accurate)
This command lists all hidden directories in your AppData folder specifically.
Press Win + S, type cmd, and press Enter.
Copy and paste the following command, then hit Enter:
Code:
dir /a:h %AppData%Scan the list for a directory named Bluetooth.
Fortunately, I didn’t have it.
Remember, AI sometimes just makes things up.
RE: Notepad++ hacked - Dale Yarker - 04.02.2026
Since we code, I thought some PB rather than Command Prompt is appropriate.
Code:
'PBWin 9 / 10 or PBCC 5 / 6
'
#compile exe
#dim all
#if %def(%pb_cc32) 'ignored by PBWin compiler
#console off 'no unneeded console window by PBCC
#endif
'
function pbmain () as long
local hTWin as dword
local AppDataPath, Target, A_File as wstring
local FoundFolder as long
local FolderDat as dirdata
AppDataPath = environ$("APPDATA")
Target = "\TestHidden\"$$ 'make more generic with TXT.LINE.INPUT or COMMANS$
'\Microsoft\ ''for test on an existing
'\TestHidden\ ''I created on my pc with hidden attribute for testing
'\Bluetooth\ ''subject directory, hopefully you don't find
txt.window ("Search For Hidden Directory In AppData", 300, 150, 15, 50) to hTWin
'
txt.print build$("Search in: "$$, AppDataPath)
txt.print build$("For subdirectory: "$$, Target)
Target = build$(AppDataPath, Target)
txt.print '
FoundFolder= isfolder(Target)
if FoundFolder then
txt.print "The directory/folder "$$;
txt.color = %rgb_red -&hF
txt.print "exists."$$
txt.print "Verify you want to delete it with ""D"" or ""d""."
txt.waitkey$
do
A_File = dir$(Target +"*.*"$$, 6)
if len(A_File) then
setattr Target + A_File 0 'kill won't delete hidden files.
kill Target + A_File
else
exit loop
end if
loop
rmdir Target
else
txt.print "The directory/folder was "$$;
txt.color= %rgb_forestgreen
txt.print "not found."$$
end if
'
txt.color = %rgb_green
txt.print
txt.print
txt.print "Any key to close."$$
txt.waitkey$
end function DIR$ a bit more complicated, and needs a file in the hidden folder to find the folder.
edit - added kill for contained files. RMDIR needs directory empty to delete it.
RE: Notepad++ hacked - George Bleck - 05.02.2026
My team just finished handling this incident where I work. The Rapid7 report has great detail about IoCs. https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
In a nutshell, it wasn't the CODE of Notepad++ that was compromised, it was the update infrastructure, managed by a hosting provider. Still a supply chain issue, but a subtle difference from something like the Solarwinds incident where actual application code was infected.
Infections only happened when you used the update feature within Notepad++ during the period of compromise of the hosting provider. Don Hon (the programmer) has indicated that they have switched to another hosting provider and improved the security of the update process using signed resources. https://notepad-plus-plus.org/news/hijacked-incident-info-update/
RE: Notepad++ hacked - Stanley Durham - 05.02.2026
All way over my head, but there was more than one attack and more than one method used.
- Chain #1: late July and early August 2025
- Chain #2: mid- and late September 2025
- Chain #3: October 2025
https://securelist.com/notepad-supply-chain-attack/118708/