The timeline says the attack started in June of 2025 and continued through Dec 2, 2025. If you installed, updated, or silently updated during that period you may have been targeted / compromised.
If you updated or installed in 2025 after June-ish, the safe thing to do is uninstall, then download from the new (theoretically more secure) website and install the new (theoretically more secure) 8.9.1.
If you were pwned by an update during later 2025, they could disguise just about anything in your Notepad++ and its associated files - make it look perfectly normal, make it act perfectly normal, but have their own malware on your system doing… whatever it is they want it to do.
I understand one of the things they were doing is running a proxy to carry traffic through your system, so if you see a lot of unexpected network activity (under Windoze how can you tell?) you may have been compromised. But that’s not the only thing they could have done, nobody has really analyzed the attack yet and even after they do, you might have gotten a “special” payload that the analysis team didn’t see…
the safe thing to do is uninstall, then download from the new (theoretically more secure) website and install the new (theoretically more secure) 8.9.1.
That won’t rescue your system if it is already compromised though. It will just prevent it from being newly compromised in this manner.
True, but in this case it seems worth doing due to the relatively patient, selective nature of the attack - it would at least clean out a compromised Notepad++ if it had not spread to a wider system compromise yet.
Unfortunately i do work for a targeted company (we do a lot of secret squirrel stuff) in south East Asia.
We get a lot of attacks.
I was looking at the attack and malware they inject (there is a blog post link on the notepad++ notice) which pointed out how the attack worked. Apparently they run a service called bluetoothservice.exe. I didn’t see anything like that or any the other stuff they said gets created.
But then again finding malware isn’t my bag so who knows.
Pretty sure my updates came via nanite installer so I’m hoping I wasn’t targeted.
You might have version 8.8.1 or lower, however it might have tried to order update got the vulnerable package instead and then remained on the older version. I think even if you have the older version that’s not a sign that you weren’t compromised.
Fair point. I was assuming the malicious payload would come along with an update on order to hide, but it’s also possible that the malicious payload was delivered without any update to notepad++.
I’m not sure what you mean. The article states there were remote hands on keyboard noticed in multiple companies. That’s how the vulnerability was discovered.
I mean IOCs that you can scan for in an environment to see if a machine has been compromised using this vulnerability. Something that tells you if you need to do additional remediation on a machine or just update notepad++ and move on.
Edit: Found some! This is the type of info I was thinking of when I used IOCs
I would like to know starting from wich version should i be concerned. I haven’t updated in a while i think.
The timeline says the attack started in June of 2025 and continued through Dec 2, 2025. If you installed, updated, or silently updated during that period you may have been targeted / compromised.
How would you know if you updated?
My notepad++ is on 8.9.1 and I have no idea how it’s on that ver (ninite I think is where I sourced it…maybe it’s auto updating?)
Odds are you weren’t on the “targeted list”.
If you don’t know, you’re probably auto updating.
If you updated or installed in 2025 after June-ish, the safe thing to do is uninstall, then download from the new (theoretically more secure) website and install the new (theoretically more secure) 8.9.1.
If you were pwned by an update during later 2025, they could disguise just about anything in your Notepad++ and its associated files - make it look perfectly normal, make it act perfectly normal, but have their own malware on your system doing… whatever it is they want it to do.
I understand one of the things they were doing is running a proxy to carry traffic through your system, so if you see a lot of unexpected network activity (under Windoze how can you tell?) you may have been compromised. But that’s not the only thing they could have done, nobody has really analyzed the attack yet and even after they do, you might have gotten a “special” payload that the analysis team didn’t see…
That won’t rescue your system if it is already compromised though. It will just prevent it from being newly compromised in this manner.
True, but in this case it seems worth doing due to the relatively patient, selective nature of the attack - it would at least clean out a compromised Notepad++ if it had not spread to a wider system compromise yet.
Unfortunately i do work for a targeted company (we do a lot of secret squirrel stuff) in south East Asia.
We get a lot of attacks.
I was looking at the attack and malware they inject (there is a blog post link on the notepad++ notice) which pointed out how the attack worked. Apparently they run a service called bluetoothservice.exe. I didn’t see anything like that or any the other stuff they said gets created.
But then again finding malware isn’t my bag so who knows.
Pretty sure my updates came via nanite installer so I’m hoping I wasn’t targeted.
What was the latest version before June 2025?
Looks like 8.8.1 was May 2025 https://notepad-plus-plus.org/news/v881-we-are-with-ukraine/
8.8.2 was June 2025 and has a warning to ignore “false positives” of malware in the update… Ouch. https://notepad-plus-plus.org/news/8.8.2-available-in-1-week-without-certificate/
You might have version 8.8.1 or lower, however it might have tried to order update got the vulnerable package instead and then remained on the older version. I think even if you have the older version that’s not a sign that you weren’t compromised.
Fair point. I was assuming the malicious payload would come along with an update on order to hide, but it’s also possible that the malicious payload was delivered without any update to notepad++.
I’ve not seen any IOCs published have you?
There’s some IOC information here:
https://securelist.com/notepad-supply-chain-attack/118708/
And here:
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
Thanks!
I’m not sure what you mean. The article states there were remote hands on keyboard noticed in multiple companies. That’s how the vulnerability was discovered.
I mean IOCs that you can scan for in an environment to see if a machine has been compromised using this vulnerability. Something that tells you if you need to do additional remediation on a machine or just update notepad++ and move on.
Edit: Found some! This is the type of info I was thinking of when I used IOCs
https://securelist.com/notepad-supply-chain-attack/118708/
Every version before the previous one.
If you haven’t updated you were not vulnerable to the update hijacking.