Notepad++ Infrastructure Hijacked: A Six-Month Global Supply Chain Campaign

Notepad++ Infrastructure Hijacked: A Six-Month Global Supply Chain Campaign

The popular open-source text editor Notepad++ has recently emerged from a sophisticated, state-sponsored supply chain attack that lasted for the majority of 2025.

According to official disclosures by maintainer Don Ho on February 2, 2026, the breach did not target the software’s code itself, but rather the infrastructure used to distribute updates to millions of users.

Timeline of the Breach

The attack was a masterclass in persistence and stealth, spanning two distinct phases of infrastructure compromise:

• June – September 2025: Attackers gained unauthorized access to the shared hosting provider for notepad-plus-plus.org. This access was initially severed on September 2, 2025, during a routine kernel and firmware update by the provider.

• September – December 2, 2025: Despite losing direct server access, the threat actors maintained stolen internal credentials. This allowed them to continue intercepting and redirecting update traffic for another three months until the credentials were finally revoked.

The Attack Vector: Targeted Redirection

The vulnerability resided in the WinGUp (Windows Generic Update Program) mechanism. In versions prior to v8.8.9, the updater lacked sufficient cryptographic verification.

How it worked:

1. A user’s Notepad++ client would check for an update.
2. The attackers, sitting on the hosting infrastructure, would identify high-value targets based on IP addresses (focusing on East Asian financial and telecom sectors).
3. Legitimate users received clean updates, but targeted users were redirected to a malicious server.
4. The “update” delivered a custom backdoor codenamed “Chrysalis”, granting attackers remote “hands-on-keyboard” control.

Vulnerabilities and Attribution

The campaign coincided with the discovery of CVE-2025-49144, a high-severity (CVSS 7.3) privilege escalation flaw. This vulnerability allowed unprivileged users to gain SYSTEM-level access through insecure executable search paths during the installation process.

Security firms, including Rapid7 and Kaspersky, have attributed the activity to the Chinese state-sponsored group Lotus Blossom (also known as Violet Typhoon, APT31, or Billbug). Researchers noted that the group was exceptionally selective, ensuring the “poisoned” updates reached only a few dozen high-profile targets in countries like the Philippines, Vietnam, and El Salvador, thereby avoiding detection by the broader security community.

Critical Actions for Users

The Notepad++ project has since migrated to a new hosting provider and implemented hardened signature verification. To ensure your system is secure, follow these steps:

1. Upgrade Immediately: Ensure you are running version 8.8.9 or higher. Version 8.9.2 and above strictly enforce certificate and signature checks.

2. Verify Signatures: Always download directly from the official site or GitHub and verify the GPG signature.

3. Clean Installation: If you suspect you were targeted during the June–December 2025 window, it is recommended to:

   • Uninstall Notepad++.

   • Delete the %AppData%\Notepad++ and %ProgramFiles%\Notepad++ directories to remove potentially hidden malicious plugins.

   • Check for suspicious processes like update.exe or AutoUpdater.exe (which are not standard Notepad++ filenames).

Comparison of Secure Alternatives

If your organization requires alternative tools, consider these open-source or managed editors: