alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Notepad++ Update Deployment URL (update.exe)"; flow:established,to_server; http.method; content:"GET"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.uri; bsize:18; content:"/update/update.exe"; nocase; fast_pattern; endswith; reference:url,securelist.com/notepad-supply-chain-attack/118708/; classtype:trojan-activity; sid:2067298; rev:1; metadata:affected_product Notepad__, attack_target Client_Endpoint, created_at 2026_02_04, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2026_02_04;)