Some Notepad++ users are experiencing security incidents where the software may be involved in facilitating unauthorized access. The situation is still developing, and while only a few organizations have reported issues, users should monitor specific processes and network activity related to the application.

The article details a supply chain attack on Notepad++, where attackers compromised the update infrastructure between June and September 2025. It outlines various infection chains, unique payloads, and the methods used to gather system information and install malicious software. Kaspersky's solutions successfully blocked these attacks as they unfolded.

A state-sponsored group, Lotus Blossom, compromised Notepad++'s hosting infrastructure, allowing them to serve malicious updates to targeted users in Southeast Asia. The attack leveraged DLL sideloading and Lua script injections to deliver malware, affecting various sectors globally.