Your Notepad++ Might Be Calling Beijing: Get On The Feed

# Your Notepad++ Might Be Calling Beijing: Get On The Feed

**Published:** February 14, 2026

The Situation

Kaspersky just disclosed that Notepad++ - the text editor running on millions of developer machines - had its update mechanism compromised for four months (July-October 2025).

The payload? **Cobalt Strike**.

The targets? Vietnam, El Salvador, Australia, a Philippine government entity, and South Asian political/economic interests.

The disclosure dropped February 2, 2026. The beacons are still calling home.

What We Have

Our STIX feed currently contains **29 active Cobalt Strike C2 servers**.

These aren't theoretical. These aren't historical. These are live command-and-control servers identified in the last 24 hours via ThreatFox certificate anomaly detection and enriched through our threat intelligence pipeline.

**If you're running Notepad++ and you got popped, your machine is beaconing to one of these servers.**

If you're blocking our feed, you're blocking those beacons.

If you're not blocking our feed, you're trusting your text editor more than your firewall.

The Full Picture

This week's threat landscape:

| Threat | Payload | Our Coverage |

|--------|---------|--------------|

| Notepad++ Supply Chain | Cobalt Strike | 29 C2 servers |

| Microsoft 6 Zero-Days | Ransomware | BianLian, others |

| Latrodectus Surge | Loader malware | Active coverage |

| Ivanti EPMM (CVE-2026-1281) | RCE | IOCs indexed |

We have 421 STIX objects in the last 24 hours. 513 stealthy threats identified. 83 interesting (non-scanner) indicators. 2 APT-linked IPs.

The Math

- **Notepad++ users worldwide:** Millions

- **Compromise window:** 4 months

- **Time since disclosure:** 12 days

- **Cobalt Strike C2s in our feed:** 29

- **Cost of our feed:** Free

The beacons are still calling. The C2s are still listening. The question is whether your firewall knows about them.

Get On The Feed

**STIX 2.1 Feed (Free):**

**Parameters:**

- `?days=7` - Last 7 days of IOCs

- `?days=30` - Last 30 days

- `?malware=cobalt_strike` - Filter by malware family

**Who's Already On It:**

- Microsoft

- AT&T

- Google

- Lumen

**What You Get:**

- 421+ indicators daily

- Cobalt Strike, Meterpreter, Latrodectus, BianLian coverage

- ThreatFox integration

- Zero-abuse "ghost" detection (threats we catch that nobody else sees)

- MITRE ATT&CK mapping

The Reality

We're a $90/month operation running on a VM in Azure. We scaled overnight to handle 1.15 million API requests when the Epstein files dropped.

We catch 67 threats with 0% community detection - ghosts that slip past everyone else.

We're not selling you anything. The feed is free. We make money when enterprises want custom integrations, not when defenders need IOCs.

Your Notepad++ might be compromised. The C2 servers are in our feed. The rest is your call.

Sources

- [Kaspersky: Notepad++ Supply Chain Attack](https://securelist.com/notepad-supply-chain-attack/118708/)

- [SecurityWeek: Microsoft February 2026 Patch Tuesday](https://www.securityweek.com/6-actively-exploited-zero-days-patched-by-microsoft-with-february-2026-updates/)

- [CISA: Ivanti EPMM Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

*Block the beacons. Get on the feed.*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →