The article details a supply chain attack on Notepad++, where attackers compromised the update infrastructure between June and September 2025. It outlines various infection chains, unique payloads, and the methods used to gather system information and install malicious software. Kaspersky's solutions successfully blocked these attacks as they unfolded.

A state-sponsored group, Lotus Blossom, compromised Notepad++'s hosting infrastructure, allowing them to serve malicious updates to targeted users in Southeast Asia. The attack leveraged DLL sideloading and Lua script injections to deliver malware, affecting various sectors globally.