Notepad++ Supply Chain Attack 2025–2026: State-Sponsored Hackers Hijacked Updates

In a major cybersecurity incident disclosed in early February 2026, the popular open-source text editor Notepad++ was compromised in a targeted supply chain attack. State-sponsored hackers—widely attributed to a Chinese-linked group—hijacked the software’s update mechanism for nearly six months (June to December 2025), selectively redirecting certain users to malicious servers that delivered trojanized installers and a custom backdoor.

This was not a traditional data breach involving leaked user credentials or source code theft. Instead, attackers exploited infrastructure vulnerabilities at the project’s former hosting provider to intercept and manipulate update traffic, turning Notepad++’s trusted auto-update channel into a covert malware delivery vector.

What Happened: The Notepad++ Hijacking Explained

Attack Type: Infrastructure-level supply chain compromise (not a flaw in Notepad++ code itself).
Method: Attackers gained access to the shared hosting server for notepad-plus-plus.org, enabling them to intercept update requests from the WinGUp updater client. They redirected traffic from selectively targeted users to attacker-controlled servers, serving malicious update manifests and payloads.
Duration: June 2025 to December 2, 2025 (full remediation date). The hosting provider lost server control on September 2, 2025, but attackers retained internal service credentials until December.
Impact Scope: Highly targeted—not mass infection. Security researchers identified infections primarily in East Asian telecommunications and financial organizations. No widespread compromise of all Notepad++ users occurred.
Malware Delivered: Custom backdoor (dubbed “Chrysalis” by Rapid7), enabling hands-on keyboard access and espionage on compromised machines.

The incident highlights growing risks in open-source software supply chains, where even small projects can become high-value targets for nation-state actors.

Timeline of the Notepad++ Security Incident

June 2025: Attack begins with hosting provider compromise.
September 2, 2025: Attackers lose direct server access after kernel/firmware updates.
November 10, 2025: Attack activity reportedly ceases (per expert analysis).
December 2, 2025: All attacker access terminated; credentials rotated.
Early December 2025: Security researcher Kevin Beaumont flags incidents linked to tainted Notepad++ processes.
December 9, 2025: Notepad++ releases v8.8.9 to fix updater authentication weaknesses.
February 2, 2026: Official disclosure from maintainer Don Ho confirms state-sponsored hijacking; project migrates to new, hardened hosting provider.
February 2026: Independent analyses (Rapid7, others) link to Chinese APT (e.g., Lotus Blossom / Zirconium / Violet Typhoon).

Who Was Behind It? Attribution Insights

Multiple cybersecurity firms and independent researchers attribute the attack to a Chinese state-sponsored group with a long history of espionage. The selective targeting (East Asia focus, telecom/finance sectors) and custom tooling align with known operations by groups like Lotus Blossom. No official Chinese government acknowledgment has been made.

Risks and Who Should Be Concerned

Most Users: Low risk if you never auto-updated between June and December 2025 or are outside targeted regions/sectors.
Higher Risk: Developers, IT admins, organizations in East Asia (telecom, finance), or anyone who auto-updated during the window.
Potential Consequences: Backdoor installation → persistent access, data exfiltration, credential theft, or further network pivoting.

No evidence suggests source code repositories (GitHub) or the Notepad++ codebase itself were altered.

What Should You Do Right Now?

Update Immediately: Download and install the latest version (v8.9.1 or newer) directly from the official site:. Manual install overwrites potentially compromised files.
Verify Your Installation: Check your Notepad++ version (Help > About). Avoid auto-updates from older builds.
Scan for Threats: Run full antivirus/malware scans (e.g., Windows Defender, Malwarebytes, ESET). Monitor for unusual network activity.
Enterprise/Org Advice: Review logs for update traffic anomalies (June–December 2025); isolate and investigate affected endpoints.
Best Practices Going Forward: Disable auto-updates if possible, or verify downloads via checksums; prefer direct downloads from official sources.

Notepad++ maintainer Don Ho apologized to users and emphasized the project’s migration to stronger hosting with enhanced security controls.

This incident serves as a stark reminder of supply chain vulnerabilities—even trusted, lightweight tools can be weaponized in sophisticated campaigns.

VFutureMedia covers the latest in cybersecurity, software vulnerabilities, and digital threats. Stay protected—subscribe for updates on emerging risks and mitigation strategies.

Ethan Brooks covers electric vehicles and clean mobility for VFuture Media. He tracks EV market trends, charging infrastructure, new model launches, and the increasingly blurry line between software and transportation. From Tesla’s autonomous driving milestones to Europe’s surging BEV sales, Ethan follows the numbers and the narratives behind them. He writes for readers who want the full picture on where the EV industry is actually headed — not just where brands say it is.