On February 2, 2026, Notepad++ developers revealed that their update infrastructure was compromised due to a security incident involving their hosting provider from June to September 2025. Attackers maintained access to internal services until December 2025, allowing them to deploy multiple malicious updates. Over four months, from July to October 2025, the attackers rotated command and control (C2) server addresses and various payloads, targeting individuals and organizations in Vietnam, El Salvador, Australia, and the Philippines. The article details three distinct infection chains linked to this supply chain attack. The first chain emerged in late July 2025, where attackers distributed a malicious Notepad++ update that executed through the legitimate update process. The malware collected system information and uploaded it to a remote server before launching a second-stage payload. This payload exploited a vulnerability in the legitimate ProShow software, allowing the attackers to execute a Cobalt Strike Beacon shellcode, facilitating further access and control over the infected machines. By early August, this chain ceased operations. In mid-September 2025, the attackers resumed their activities with a new infection chain using the same update URL but with a different payload. This time, they employed a more compact NSIS installer that gathered additional system information and dropped files into the Adobe Scripts directory. The new payload included DLLs and an executable designed to establish a foothold in the victim's system. This change highlighted the attackers' adaptive tactics in response to detection efforts. The article also emphasizes Kaspersky's ability to block these attacks in real-time, showcasing the ongoing battle between cybersecurity measures and evolving threats.