Notepad++ update hack is bigger than you think, and your files could already be at risk

A dynamic scene depicting papers floating in the air amidst vibrant blue and red lighting, suggesting a sense of motion and activity.

If you updated Notepad++ recently, you might have been hit by a hidden cyberattack without even knowing it.

Kaspersky Global Research and Analysis Team (GReAT) found that attackers who compromised Notepad++ targeted a government organization in the Philippines, a financial institution in El Salvador, an IT service provider in Vietnam, and individuals across three countries.

They used at least three separate infection chains, but only one has been publicly documented so far.

The attackers were relentless. Between July and October 2025, they completely rebuilt their malware, command-and-control servers, and delivery methods almost every month.

The October 2025 malware most reports focus on is just the tip of the iceberg. Earlier attacks from July through September used completely different IP addresses, domain names, execution methods, and payloads, meaning many organizations scanning only for the October malware may have missed infections entirely.

Kaspersky blocked all identified attacks as they happened, but senior security researcher Georgy Kucherin warns that defenders cannot assume safety just because the known indicators of compromise showed nothing.

“The July-September infrastructure was completely different — different IPs, different domains, different file hashes. We cannot rule out the existence of additional, as-yet-undiscovered chains,” he said.

For users, this means anyone running Notepad++ updates during mid-to-late 2025 could unknowingly have been exposed. Attackers could have installed backdoors, stolen data, or used infected machines to launch further attacks.

Kaspersky has now published the full list of malicious updater hashes, 14 command-and-control URLs, and eight file hashes not previously reported. The complete indicators of compromise and technical breakdown are available on Securelist.

If you use Notepad++, check your systems now. Ignoring this could mean the difference between a clean update and a hidden malware infection that’s already moving through your network.