SECURITY ALERT: Notepad++ Update Mechanism Security Issue

Product / Version includes:

Deep Security 20.0 , Trend Vision One All , Apex One All , Cloud One - Endpoint and Workload Security All

Last updated: 2026/02/04

Solution ID: KA-0022397

Category:

Summary

On February 2, 2026, the developers behind the popular Notepad++ application publicly announced a security issue where they outline a suspected hijack of the applications official update mechanism over the past several months.

As with any security issue or vulnerability, it is always advised to ensure you have the latest (fixed) version of the affected code that may also address other security and compatibility issues. As of the publishing of this article, the latest version is 8.9.1.

TrendAI Protection and Detection Against Exploitation

As this appears to be an ongoing investigation, there is limited official information from the Notepad++ development team at this time about specific malicious activity associated with the actual compromise of the infrastructure behind the application's official update mechanism. However, there are several independent research groups (including TrendAI) that are conducting and sharing information on malicious activity that may be directly or indirectly tied to campaigns related to this incident.

Trend Vision One™

TrendAI has added some information in the Vision One Threat Intelligence Hub that is closely tracking some of the activity with a group that has been suspected to be involved in this incident.

This information will be continually updated as more information becomes available.

Patterns, Models & Signatures

Includes Trend Vision One Endpoint Security, Trend Vision One Server and Workload Security, Trend Micro Deep Security, and all other products that utilize malware file scanning technologies.

While the Notepad++ developers themselves have not shared any indicators of compromise (IOCs), several third parties have shared information on suspected malicious file components associated with this incident and campaign, and TrendAI has created protection patterns with the following detections:

Backdoor.Win32.CHRYSALIS.THBOCBF

Trojan.INF.CHRYSALIS.A

Backdoor.Win32.CHRYSALIS.THBOCBF.enc

Backdoor.Win32.CHRYSALIS.THBOCBF

Trojan.Win32.SHELLCODE.H.enc

TROJ_FRS.VSNTB226

Trojan.Win32.SHELLCODE.H.enc

Trojan.Win64.LOADER.SM

Trojan.Win32.SHELLCODE.H.enc

Trojan.Win64.FRS.VSNTB226

Trojan.Win32.SHELLCODE.H.enc

Web Reputation Services (WRS)

TrendAI products that utilize WRS technology to proactive block potentially malicious sites also have protection against suspected vectors in associated campaigns.

Specifically, TrendAI has added several IP addresses and URLs that are now being classified as:

Disease Vectors
Command and Control (C&C) Servers

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

SECURITY ALERT: Notepad++ Update Mechanism Security Issue

TrendAI Protection and Detection Against Exploitation

SECURITY ALERT: Notepad++ Update Mechanism Security Issue

Product / Version includes:

Summary

TrendAI Protection and Detection Against Exploitation