Notepad++ update servers hijacked in targeted supply chain attack

In early February 2026, the open‑source world was shaken when the official Notepad++ update servers were hijacked in a sophisticated supply chain attack. For nearly six months, from June to December 2025, threat actors infiltrated the infrastructure that delivers automatic updates to users and quietly redirected targeted systems to malicious download servers. 

Rather than exploiting a flaw in the Notepad++ code itself, attackers abused weaknesses in the update distribution process to slip harmful binaries into trusted channels. This kind of breach shows how dangerous modern supply chain attacks have become, especially when they turn “trusted updates” into covert malware delivery mechanisms. With millions of users relying on Notepad++ every day, this incident raises serious questions about software trust and security. 

What Happened in the Notepad++ Supply Chain Attack?

In June 2025, attackers breached the shared hosting infrastructure used by Notepad++’s official update system. This wasn’t a flaw in the Notepad++ code, but a backend compromise that let the threat actors intercept and redirect update traffic meant for notepad-plus-plus.org to servers they controlled. The campaign ran for roughly six months, with infrastructure access lasting until December 2, 2025. During this time, specific users, not the entire user base, were served malicious installers in place of genuine updates. Developers confirmed the breach publicly in early February 2026.

This type of incident is known as a supply chain attack, where trusted systems are manipulated to distribute harmful code by exploiting the distribution process rather than the software itself.

Why Did the Attack Work? What Was Exploited?

The root cause wasn’t a traditional software bug, but insufficient update validation and infrastructure compromise. The Notepad++ updater component, WinGUp, used by older versions of the app did not fully enforce certificate and signature checks on downloaded installers. This gap allowed tampered binaries from malicious servers to install without triggering warnings.

Rapid7 dropped a write-up on the Notepad++ update-chain abuse and – finally – it comes with real IOCs

– update.exe downloaded from 95.179.213[.]0 after notepad++.exe -> GUP.exe
– file hashes for update.exe / log.dll / BluetoothService.exe / conf.c / libtcc.dll
– network IOCs… https://t.co/VHTF3pngJn pic.twitter.com/UlLkyZM6eC

— Florian Roth ⚡️ (@cyb3rops) February 2, 2026

Attackers focused on the getDownloadUrl.php endpoint, which the updater uses to know where to fetch updates. By controlling it, they could serve modified download URLs pointing to their own servers hosting malicious payloads instead of genuine installers.

Once deep access was obtained at the hosting provider level, the attackers didn’t need to break the Notepad++ application code; instead, they manipulated trusted update infrastructure to turn a routine process into a covert distribution mechanism.

Was This a Broad Malware Campaign? Or Targeted?

This was highly targeted, not broad. Instead of pushing compromised updates to every Notepad++ user worldwide, attackers selectively redirected only certain update requests. Many security analysts believe the campaign aimed at specific organizations, especially in telecommunications, critical infrastructure, and finance sectors, rather than casual end users.

Researchers observed that the operation showed a level of restraint and precision consistent with state‑sponsored espionage objectives rather than indiscriminate malware distribution.

Who Is Responsible for the Notepad++ Supply Chain Attack?

Multiple investigations linked the attack to a likely Chinese state‑sponsored group. Analysts say the behavior matches the Lotus Blossom (APT31) pattern.

The group shows high discipline, targets valuable victims, and persists over time. This aligns with known state-linked espionage campaigns.

The Chinese government denies involvement, but cybersecurity firms still see the attack as consistent with Chinese state interests due to its sophistication and precise targeting.

Which Notepad++ Versions Were Affected?

The attack primarily affected users running versions of Notepad++ prior to v8.8.9. These older releases used the WinGUp updater, which lacked strict verification of update packages.

Does this affect you?
If you updated Notepad++ between June-Dec 2025:
– Check version (v8.8.9+ is patched)
– Look for gup.exe making requests to non-standard domains
– Consider fresh install from known-good source
-Rotate any secrets that touched that machine 5/7 pic.twitter.com/EiztcWel14

— Hercules | @0xgroomlake (@0xHerculesGL) February 2, 2026

Once developers recognized the issue, they shipped version 8.8.9 in December 2025, introducing mandatory certificate and digital‑signature verification for update installers, effectively blocking the core exploited weakness.

Additionally, future releases (e.g., v8.9.2) are expected to incorporate stronger XMLDSig signing for update manifests, further securing update metadata and helping to prevent tampering.

What Kind of Malware Was Delivered?

Details of all malicious payloads aren’t public. Researchers linked the compromised installers to Chrysalis, a custom backdoor used in long-term espionage campaigns.

Some victims showed hands-on-keyboard activity, meaning attackers could remotely control the machines. This shows advanced post-exploitation, not just simple malware.

These patterns indicate that malicious updates were designed to establish persistence and enable reconnaissance or further network intrusion.

How Was the Compromise Detected and Mitigated?

The breach was publicly disclosed in early February 2026 by Notepad++ maintainer Don Ho after an extended internal investigation. Remediation included migrating the website away from the compromised hosting provider, rotating all internal credentials, and hardening the update infrastructure.

The emergence of stricter verification including mandatory digital signature and certificate checks has closed the core gap exploited by attackers.

Incident response also involved a period of forensic analysis to ensure all unauthorized access paths were eliminated, concluding that by December 2, 2025, all attacker access had been terminated.

What Should Users and Organizations Do Now?

The key action for all Notepad++ users is to update to the latest version (8.8.9 or later) directly from the official site or GitHub release page. Older versions should be considered potentially compromised if they ever performed an auto‑update during the June‑December 2025 window.

Organizations should audit systems used for sensitive tasks. They should monitor update processes for unusual activity. Disable auto‑updates if not needed. Enforce strict code‑signing controls. Keep developer tools separate from critical infrastructure.

Why Does Notepad++ Attack Matters for Software Supply Chains?

This incident underscores a major trend: attackers are increasingly targeting distribution mechanisms and infrastructure rather than application code itself. When automatic updates become the delivery vector, trust assumptions break down giving adversaries a powerful way to deploy malicious software with minimal detection.

Supply chain attacks like this reveal that verification, signing, and infrastructure hardening are just as important as secure coding practices. The Notepad++ community’s experience sends a clear message: trusted updates must be treated with the same threat model as high‑risk network services. 

Final Words

The Notepad++ supply chain attack shows that even trusted updates can be risky. Always update to the latest version, verify sources, and stay alert to protect your system.

Frequently Asked Questions (FAQs)

Disclaimer:

The content shared by Meyka AI PTY LTD is solely for research and informational purposes. Meyka is not a financial advisory service, and the information provided should not be considered investment or trading advice.