A global research team discovered that attackers behind a compromised Notepad++ supply chain targeted multiple organizations across four countries, using at least three distinct infection chains. The attacks occurred between July and October 2025, with the attackers rotating their malware, command-and-control infrastructure, and delivery methods roughly every month.
The only publicly documented attack chain represents the final phase of a longer campaign. Notepad++ developers reported a hosting provider incident in February 2026, revealing that their update infrastructure had been compromised. This incident was previously unknown to the public, leaving organizations unaware of earlier infections.
Each infection chain used unique malicious IP addresses, domain names, execution methods, and payloads. Organizations scanning only for October indicators may have missed earlier infections. Kaspersky solutions blocked all identified attacks as they occurred.
The company has published a list of indicators of compromise, including six malicious updater hashes, 14 C2 URLs, and eight malicious file hashes not previously reported. The complete IoC list and technical analysis are available at Securelist.
Kaspersky’s Georgy Kucherin warned that defenders who checked their systems against the publicly known indicators may be in for a surprise. “The July-September infrastructure was completely different,” he said. “We cannot rule out the existence of additional, as-yet-undiscovered chains.”
Source: https://manilastandard.net/tech/314702169/kaspersky-great-uncovers-hidden-attack-chains-in-notepad-supply-chain-compromise.html