notepad-plus-plus - isotope¹³

Incident Summary

Notepad++ Update Infrastructure Compromise

Attackers compromised Notepad++ update infrastructure at the hosting provider layer and distributed malicious update.exe files through the trusted update path. Between June and October 2025, the operation delivered Cobalt Strike Beacons and Chrysalis backdoors to selected organizations in specific regions.

Date: 2025-06-01 to 2025-10-31
Category: Open Source
Target Surface: Other
Insertion Phase: distribution
Impact: Remote access
Cause: Compromised Infrastructure

What Was Affected

Package notepad-plus-plus

LanguageC++

ComponentApplication

Artifact typeapplication

Domain typevendor

Domain notepad-plus-plus.org

Repository github.com/notepad-plus-plus/notepad-plus-plus

Incident Context

Motive: Espionage
Attribution: Nation-state
Transitive: No
User Impact: 0
Observed Duration: 152 days

Indicators and Changes

Hashes

sha1:8e6e505438c21f3d281e1cc257abdbf7223b7f5a
sha1:90e677d7ff5844407b9c073e3b7e896e078e11cd
sha1:573549869e84544e3ef253bdba79851dcde4963a
sha1:13179c8f19fbf3d8473c49983a199e6cb4f318f0
sha1:4c9aac447bf732acc97992290aa7a187b967ee2c
sha1:821c0cafb2aab0f063ef7e313f64313fc81d46cd
sha1:06a6a5a39193075734a32e0235bde0e979c27228
sha1:ca4b6fe0c69472cd3d63b212eb805b7f65710d33
sha1:f7910d943a013eede24ac89d6388c1b98f8b3717

External References

Source Data

Source record: oss/notepad-plus-plus/meta.yaml