In early 2026, Notepad++ developers revealed a major supply chain compromise affecting their update infrastructure between June and December 2025. Originating from a hosting provider-level breach, the attack allowed threat actors to distribute malicious updates via the legitimate GUP.exe process. The campaign targeted diverse entities, including government and financial organizations in Vietnam, the Philippines, El Salvador, and Australia.
Researchers identified three distinct infection chains that evolved over several months to evade detection. These chains utilized NSIS installers, abused legacy software vulnerabilities, and leveraged Lua interpreters to deploy advanced payloads like Cobalt Strike Beacons and the Chrysalis backdoor. The attackers frequently rotated C2 infrastructure and utilized Living-Off-the-Land services like temp.sh for data exfiltration and payload delivery.
Top comments (0)