Notepad++ Update Hijacked by Chinese APT for Six Months

The maintainer of Notepad++ disclosed over the weekend that Chinese state-sponsored attackers hijacked the popular text editor's update mechanism for approximately six months. The attackers compromised infrastructure at the hosting provider level, redirecting update traffic from select users to malicious servers that delivered a custom backdoor.

Developer Don Ho revealed the breach on February 2, 2026, explaining that the attack "involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org." The attackers never touched Notepad++ source code or compromised the build pipeline. They operated entirely within the hosting environment—a much harder attack to detect.

How the Attack Worked

The operation began in June 2025 when attackers infiltrated the shared hosting server used by Notepad++'s official website. They specifically targeted the update endpoint (getDownloadUrl.php), which provides update metadata and download URLs to client installations checking for new versions.

Rather than poisoning updates globally—which would have triggered immediate detection—the attackers filtered requests by IP range. Only users at targeted organizations received redirects to attacker-controlled servers. Everyone else got legitimate updates.

According to Rapid7's technical analysis, the threat group exploited a flaw in WinGUp, Notepad++'s update utility. The tool's integrity verification process didn't adequately validate download sources, allowing attackers who could intercept network traffic to serve poisoned executables that appeared legitimate.

The attack window ran from June through November 2025. The hosting provider regained server access on September 2, 2025, but attackers maintained credentials to internal services until December 2—allowing continued traffic redirection even without direct server control.

Attribution and Targeting

Security researchers have offered competing attributions. The initial disclosure pointed to Violet Typhoon (also tracked as APT31), a Chinese nation-state actor known for targeting telecommunications and technology companies. Rapid7 attributed the campaign to Lotus Blossom, a different China-linked group active since 2009.

Both assessments agree on the targeting profile: telecommunications providers and financial services organizations in East Asia. This aligns with typical Chinese APT priorities—gathering intelligence on communications infrastructure and financial data flows.

The targeting methodology mirrors techniques we've seen in other supply chain attacks that hit developer tools. Compromising software used by engineers and system administrators provides a direct path into high-value corporate networks.

The Chrysalis Backdoor

Rapid7 identified a previously undocumented backdoor dubbed "Chrysalis" delivered through the supply chain attack. Technical details remain limited, but the malware enabled persistent remote access to compromised systems—exactly what you'd expect from an espionage-focused operation.

The backdoor's novelty suggests dedicated development resources. Unlike commodity malware reused across campaigns, custom implants are harder to detect through signature-based defenses and indicate significant investment in the operation.

Why This Matters

Notepad++ claims over 100 million downloads and remains popular among developers, system administrators, and security professionals. It's the kind of trusted tool that bypasses scrutiny—people don't expect their text editor to deliver malware.

This attack represents a concerning evolution in supply chain compromise tactics. The attackers never compromised the software itself, making traditional code audits useless. They didn't break signatures or tamper with binaries. They simply sat between the legitimate update server and targeted users, serving malicious content from attacker infrastructure.

For organizations wondering whether they were targeted, the honest answer is: you probably don't know. The selective targeting means most users received legitimate updates throughout the attack window. Only specific IP ranges saw malicious redirects.

Remediation and Response

The Notepad++ team has migrated to a new hosting provider and hardened the update process. Version 8.8.8, released in November 2025, restricted update downloads to trusted sources (GitHub). Version 8.8.9 added mandatory digital signature and certificate verification. Additional protections including XML signature validation are expected in v8.9.2.

Organizations concerned about exposure should:

1. Audit Notepad++ installations - Check version history and update logs from June-November 2025
2. Hunt for indicators - Review network logs for connections to unexpected domains during the attack window
3. Verify current versions - Ensure installations are running 8.8.9 or later with enhanced verification
4. Expand threat hunting - If you're in telecom or financial services in East Asia, assume you were targeted

The attack demonstrates that even well-maintained open source projects remain vulnerable when infrastructure—not code—becomes the target. For a deeper dive into how APT groups operate, our recommended reading on state-sponsored attacks covers the broader threat landscape.