{"ID":"fb26a755-1c02-437a-e1da-6b8835bb6f1c","Version":1,"CreatedAt":1770791253806,"Description":"[OOTB] Notepad++ supply chain attack package - ENG\n\u003chtml lang=\"en\"\u003e\n\u003cbody\u003e\n  \n  \u003cp\u003e\n\tOn February 2, 2026, the developers of Notepad++, a text editor popular among developers, published a statement claiming that the update infrastructure of Notepad++ had been compromised. According to the statement, this was due to a hosting provider-level incident, which occurred from June to September 2025. However, attackers had been able to retain access to internal services until December 2025.\u003cbr\u003e\n\tWithin the attacks there was many different pattern of the adversary bahavior. In response to this attack, we have developed a set of detection rules to help identify potential exploitation attempts and take proactive measures to protect systems.\u003cbr\u003e\n\tThis package contains rules that can be categorized into three groups:\n\t\t\u003cul\u003e\n\t\t\t\u003cli\u003eIOC monitoring:\u003c/li\u003e\n\t\t\t\t\u003cul\u003e\n\t\t\t\t\t\u003cli\u003eURLs\u003c/li\u003e\n\t\t\t\t\t\u003cli\u003eFile hashes\u003c/li\u003e\n\t\t\t\t\t\u003cli\u003eFile names\u003c/li\u003e\n\t\t\t\t\u003c/ul\u003e\n\t\t\t\u003cli\u003eSuspicious activity on host:\u003cli\u003e\t\t\n\t\t\t\t\u003cul\u003e\n\t\t\t\t\t\u003cli\u003eAbnormal file names\u003c/li\u003e\n\t\t\t\t\t\u003cli\u003eUncommon command executions and child processes\u003c/li\u003e\n\t\t\t\t\t\u003cli\u003eSuspicious network activity\u003c/li\u003e\n\t\t\t\t\u003c/ul\u003e\n\t\t\u003c/ul\u003e\n\tMore details are described in article: https://securelist.com/notepad-supply-chain-attack/118708/ \u003cbr\u003e\n\t\u003cb\u003eImportant Notes:\u003c/b\u003e\u003cbr\u003e\n\tTo ensure the correct functioning of detection rules, it is essential to verify that all necessary Windows events such as 4688 (process creation), 5136 (packet filter), 4663 (object access) are presented in SIEM system.\n  \u003c/p\u003e\n\n\u003c/body\u003e\n\u003c/html\u003e","Language":"en","ResourceIDs":["3ad7680b-2418-4431-b786-fa6803a043a5","b1c5394a-c49b-4345-965a-6036f9695a49","ce12f000-e03c-488d-bad1-0d62cafcf2a9","c7d9dffa-e918-4676-a510-224c3be94861","e1508389-2115-48c2-ba3c-fbe239a05988","0f5e1151-70af-43fd-ad0f-c243463a6a07","21cdae23-954c-47fe-852f-7a94e34d4f16","2e2f932a-6551-4c50-a609-09d580eecdac","7feb073a-462d-4eff-a415-3e4a111d9975","9134cb58-c482-4284-8e2c-2dfe2bb690ee"],"Emergency":false}