Notepad++ versions and update mechanisms had been compromised since June until December 2025. Please update to 8.9.1 wherever you have this tool. It's unclear what malicious versions of the tool might do. I Recommend activating incident response for affected hosts.
https://notepad-plus-plus.org/news/hijacked-incident-info-update/
@mttaggart What’s worse, the built-in Notepad remains infected with Copilot.
@mttaggart ...So people who did not update their software were not impacted. Checkmate, security nerds!!1
@kevinmirsky Security by obsolescence wins again, baybee!
@kevinmirsky Except actually not, per other replies.
@mttaggart yeah, you'd have to have had it installed prior to compromise and then never updated.
@mttaggart it was a remote access Trojan with a C2, I did a write up in December, nation state espionage stuff
https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9
Based on release posts, impacted versions are 8.8.6, 8.8.7, and 8.8.8.
UPDATE: Don't look at just these versions, as the update may not have bumped version numbers.
Known IOCs here, with more likely to come: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
@mttaggart it was any version impacted as it was the auto update process
@GossiTheDog Right but the server was compromised between September and December, which maps to those versions. So if you're looking for potentially compromised versions, those would be the ones, right?
Indicators of compromise of users would look like post exploit behavior of an RCE vuln in the auto updater process... I haven't looked at details, but if you have process logging (4688s), if you find processes started by the notepad++ process, that is your haystack (not all updates would have been targeted, let's say...) to find the needles, you'll need to go hunting for the malicious update returned by hostile auto updater service.
@mttaggart no, they delivered a Trojanized executable via the update process - not a new version.
@GossiTheDog Ah I see. So the update process didn't bump the version number?
@mttaggart not necessarily. It would just download any .exe you set and run it, there was no signature checking etc.
@mttaggart It's a shame that every app with auto-update isn't verifying the installer's integrity first. I'm glad this is part of the process for Notepad++ now, but it makes me nervous thinking about how many apps don't do this.
@mttaggart ugh. This hit my gaming rig. Do I need to set up elastic at home now? I really don’t want to, but I’m beginning to think it’s not a bad idea given how awful default windows logging is 🙃
@winterknight1337 Sysmon is sufficient, but if you have other machines as well, the Elastic Agent might make sense.
@mttaggart yeah, I haven’t even installed sysmon on the personal rig, because well. It’s for games not work. But I think that’ll be changing now. Is Tay’s sysmon config still the go to? Or is there a better option nowadays?
@winterknight1337 This is it: https://github.com/olafhartong/sysmon-modular
Performance impact is minimal, but I would increase the default logfile size to ~1GB.
@mttaggart awesome. Guess my project tonight is backing up my stuff and reinstalling windows. Maybe I’ll turn it into a blog post too. Thanks for the suggestion!
