Chinese state-sponsored campaign to hijack Notepad++ update traffic
Campaign
Summary
Hide ▲
Show ▼
A months-long campaign hijacked Notepad++ update traffic, selectively sending some users to malicious servers and threatening the integrity of software updates. The operation began in June 2025 after attackers compromised a hosting provider and used that foothold to tamper with update manifests. It ended on December 2, 2025, after the breach was detected and access was cut off.
Related Happenings
Lotus Blossom Notepad++ updater compromise campaign
Campaign
First: 17.02.2026 20:29
Last: 17.02.2026 20:29
Sources 1
About this happening:
The **Lotus Blossom** operation compromised the **Notepad++ updater** and **selectively redirected update requests** from specific users to malicious servers, creating a supply-ch...
Lotus Blossom Notepad++ updater compromise campaign
CampaignAbout this happening: The **Lotus Blossom** operation compromised the **Notepad++ updater** and **selectively redirected update requests** from specific users to malicious servers, creating a supply-ch...
Notepad++ hit by network compromise
Incident
First: 03.02.2026 06:55
Last: 03.02.2026 06:55
Sources 1
How related:
The developer now explains that the attack occurred in June 2025, when a hosting provider for the software was compromised, enabling the attackers to perform targeted traffic redirections.
About this happening:
The **Notepad++** hosting breach enabled attackers to hijack the software update path and selectively redirect some users to **malicious servers**, creating a **supply-chain** ris...
Notepad++ hit by network compromise
IncidentHow related: The developer now explains that the attack occurred in June 2025, when a hosting provider for the software was compromised, enabling the attackers to perform targeted traffic redirections.
About this happening: The **Notepad++** hosting breach enabled attackers to hijack the software update path and selectively redirect some users to **malicious servers**, creating a **supply-chain** ris...
Latest development: 18.02.2026 09:40
Notepad++ released version 8.9.2 to harden the update mechanism after the hijacked update path was used to deliver targeted malware. The release adds a "double lock" design with verification of the signed installer downloaded from GitHub and verification of the signed XML returned by the update server at notepad-plus-plus[.]org, and it also introduces WinGUp hardening including removal of libcurl.dll, removal of CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE, and restriction of plugin management execution to programs signed with the same certificate as WinGUp.
Bizarre Bazaar campaign targeting exposed LLM and MCP endpoints
Campaign
First: 28.01.2026 15:15
Last: 28.01.2026 15:15
Sources 1
About this happening:
**Bizarre Bazaar** is an active **LLMjacking** campaign targeting **exposed LLM and MCP endpoints** to monetize unauthorized access to AI infrastructure. Researchers say the opera...
Bizarre Bazaar campaign targeting exposed LLM and MCP endpoints
CampaignAbout this happening: **Bizarre Bazaar** is an active **LLMjacking** campaign targeting **exposed LLM and MCP endpoints** to monetize unauthorized access to AI infrastructure. Researchers say the opera...
Latest development: 29.01.2026 20:37
Researchers said Operation Bizarre Bazaar, an LLMjacking marketplace that scans for exposed Ollama, vLLM, and OpenAI-compatible APIs without authentication and resells access through silver[.]inc, has been traced to Hecker (aka Sakuya and LiveGamer101).
Sha1-Hulud supply-chain campaign expands secret theft across npm and GitHub
Campaign
First: 02.01.2026 16:19
Last: 02.01.2026 16:19
Sources 1
About this happening:
**Shai-Hulud** is a **self-replicating npm supply-chain worm** that first appeared in **September 2025** and spread by stealing **developer secrets** and **GitHub tokens** from co...
Sha1-Hulud supply-chain campaign expands secret theft across npm and GitHub
CampaignAbout this happening: **Shai-Hulud** is a **self-replicating npm supply-chain worm** that first appeared in **September 2025** and spread by stealing **developer secrets** and **GitHub tokens** from co...
Latest development: 26.01.2026 16:02
Koi Security found PackageGate flaws in pnpm, vlt, Bun, and NPM that let a malicious `.npmrc` override the git binary path during Git repository installs, bypass `--ignore-scripts=true` and trigger full code execution. Bun patched the flaws in version 1.3.5, vlt fixed them after Koi's report, pnpm released fixes for CVE-2025-69263 and CVE-2025-69264, and NPM closed the report as "works as expected."
Politie seizure of bulletproof hosting servers
Law Enforcement
First: 17.11.2025 21:19
Last: 17.11.2025 21:19
Sources 1
About this happening:
The Dutch police **seized around 250 physical servers** from a **bulletproof hosting** service, disrupting infrastructure that had supported **cybercrime** cases across **more tha...
Politie seizure of bulletproof hosting servers
Law EnforcementAbout this happening: The Dutch police **seized around 250 physical servers** from a **bulletproof hosting** service, disrupting infrastructure that had supported **cybercrime** cases across **more tha...
Timeline
-
02.02.2026 16:53 2 articles · 3mo ago
Chinese state-sponsored campaign to hijack Notepad++ update traffic
Initial DisclosureThe operation began in **June 2025** when attackers compromised the update hosting provider and started selectively redirecting some **Notepad++** users to malicious servers. Early activity focused on exploiting weak update verification in the trusted update path.
Show sources
- Notepad++ update feature hijacked by Chinese state hackers for months — www.bleepingcomputer.com — 02.02.2026 16:53
- Notepad++ update feature hijacked by Chinese state hackers for months — www.bleepingcomputer.com — 02.02.2026 16:53