05.02.2026, 14:41
(This post was last modified: 05.02.2026, 14:50 by George Bleck.)
My team just finished handling this incident where I work. The Rapid7 report has great detail about IoCs. https://www.rapid7.com/blog/post/tr-chry...s-toolkit/
In a nutshell, it wasn't the CODE of Notepad++ that was compromised, it was the update infrastructure, managed by a hosting provider. Still a supply chain issue, but a subtle difference from something like the Solarwinds incident where actual application code was infected.
Infections only happened when you used the update feature within Notepad++ during the period of compromise of the hosting provider. Don Hon (the programmer) has indicated that they have switched to another hosting provider and improved the security of the update process using signed resources. https://notepad-plus-plus.org/news/hijac...fo-update/
In a nutshell, it wasn't the CODE of Notepad++ that was compromised, it was the update infrastructure, managed by a hosting provider. Still a supply chain issue, but a subtle difference from something like the Solarwinds incident where actual application code was infected.
Infections only happened when you used the update feature within Notepad++ during the period of compromise of the hosting provider. Don Hon (the programmer) has indicated that they have switched to another hosting provider and improved the security of the update process using signed resources. https://notepad-plus-plus.org/news/hijac...fo-update/