BeepFeb 2

Notepad++ Hijacked by State-Sponsored Hackers

https://lemmus.org/post/19851429

Show threaddindonmaskerFeb 2
I would like to know starting from wich version should i be concerned. I haven’t updated in a while i think.
Show threadMangoCatsFeb 2
The timeline says the attack started in June of 2025 and continued through Dec 2, 2025. If you installed, updated, or silently updated during that period you may have been targeted / compromised.
Show threadSnazzFeb 2
What was the latest version before June 2025?
Show threadpezFeb 3

Looks like 8.8.1 was May 2025 https://notepad-plus-plus.org/news/v881-we-are-with-ukraine/

8.8.2 was June 2025 and has a warning to ignore “false positives” of malware in the update…. Ouch. https://notepad-plus-plus.org/news/8.8.2-available-in-1-week-without-certificate/

Notepad++ v8.8.1 release - We are with Ukraine | Notepad++

Show threadAceBonoboFeb 3
You might have version 8.8.1 or lower, however it might have tried to order update got the vulnerable package instead and then remained on the older version. I think even if you have the older version that’s not a sign that you weren’t compromised.
Show threadpezFeb 3

Fair point. I was assuming the malicious payload would come along with an update on order to hide, but it’s also possible that the malicious payload was delivered without any update to notepad++.

I’ve not seen any IOCs published have you?

Show threadAceBonobo
I’m not sure what you mean. The article states there were remote hands on keyboard noticed in multiple companies. That’s how the vulnerability was discovered.
Feb 4 at 7:22amWeb
Show threadpezFeb 4
I mean IOCs that you can scan for in an environment to see if a machine has been compromised using this vulnerability. Something that tells you if you need to do additional remediation on a machine or just update notepad++ and move on.