Notepad++ Update Hijack: Chinese State Hackers Compromised Software Updates for Months

Notepad++, the wildly popular free text editor used by millions of Windows developers worldwide, has disclosed a major security breach: Chinese state-sponsored hackers hijacked its update mechanism for nearly six months in 2025, redirecting targeted users to malicious servers.[1][2][3]

This supply chain attack exploited a vulnerability in the software’s update verification process, allowing attackers to serve tampered files without altering the core source code.[1][4] Developer Don Ho announced the incident on February 2, 2026, confirming that independent security researchers attribute it to a Chinese advanced persistent threat (APT) group, likely due to the campaign’s highly selective targeting.[1][3]

How the Attack Unfolded

The breach began in June 2025 when attackers compromised a shared hosting provider server handling Notepad++’s update feature.[1][4] They intercepted update requests from notepad-plus-plus.org and selectively redirected traffic from specific users to their own malicious infrastructure.[1][2] This delivered altered “update manifests”—small files that direct the WinGUp updater to download installers—potentially laced with malware.[1][3]

The attackers exploited insufficient verification controls in older Notepad++ versions, bypassing checks to push fake updates.[1][5] In early September 2025, the hosting provider updated the server kernel and firmware, temporarily disrupting access. However, the hackers regained entry using stolen internal service credentials that hadn’t been rotated.[1]

The compromise persisted until December 2, 2025, when the provider detected the anomaly and severed access.[1][3] Security researcher Kevin Beaumont reported at least three organizations were hit, with victims showing “interests in East Asia.” Post-infection, attackers conducted hands-on reconnaissance in affected networks.[1][3]

Rapid7 researchers linked the intrusions to Lotus Blossom (also known as Raspberry Typhoon, Bilbug, or Spring Dragon), a Chinese state-backed APT.[1][3] They discovered a new custom backdoor called Chrysalis, a sophisticated tool designed for persistent system access.[1] While not definitively tied to the updater, forensics showed Notepad++’s “notepad++.exe” and “GUP.exe” running just before suspicious “update.exe” processes launched.[1]

MITRE ATT&CK techniques involved included T1071.001 (Application Layer Protocol: Web Protocols for C2) and T1078 (Valid Accounts for evasion).[2]

Notepad++’s Response and Fixes

Don Ho emphasized the attack was infrastructure-level, not a source code compromise, thanks to Notepad++’s open-source nature.[3] Immediate actions included:

  • Migrating to a new, more secure hosting provider.[1]
  • Rotating all potentially stolen credentials (SSH, FTP/SFTP, MySQL).[1]
  • Patching the exploited vulnerability in version 8.8.9 (December 2025), which added installer certificate verification and cryptographic signing of update XML files.[1][2]
  • Analyzing logs to confirm malicious activity ceased; no indicators of compromise (IoCs) were found or shared by the former provider.[1]

Upcoming version 8.9.2, due in about a month, will enforce mandatory certificate signature checks.[1] Ho noted a post-patch exploit attempt failed.[3]

What Users and Organizations Should Do Now

Notepad++ urges immediate upgrades to version 8.8.9 or later for enhanced security.[1][2] Potentially affected users, especially those updating between June and December 2025, should:

  • Update Notepad++ manually from the official site to verify signatures.[1][2]
  • Review and reset credentials for SSH, FTP/SFTP, MySQL, and WordPress admin accounts; delete unnecessary users.[1]
  • Scan WordPress sites (if used) for core, plugins, and themes; enable auto-updates.[1]
  • Check internal logs and endpoint telemetry for “update.exe” or GUP.exe anomalies, given the lack of public IoCs.[1][3]
  • Organizations: Audit networks for East Asia-targeted activity and Chrysalis backdoor signs.[1][3]

With tens of millions of users, particularly in development and corporate settings, this incident underscores supply chain risks—even for small open-source projects.[3][5]

Broader Implications for Software Security

This hijack highlights the dangers of shared hosting and weak update verification in popular tools.[1][4] State actors like Chinese APTs increasingly target supply chains for stealthy, targeted espionage over mass malware.[3][5] As Beaumont noted, it enabled “hands-on” network access, potentially leading to data theft or further compromises.[1]

The good news? Notepad++’s swift transparency and fixes mitigate ongoing risks. Rapid7’s analysis, while not confirming the exact infection vector, bolsters attribution to Lotus Blossom’s toolkit.[1] Developers everywhere should prioritize signed updates, credential hygiene, and isolated infrastructure.

In an era of escalating cyber threats, this serves as a wake-up call: Trust no update blindly. Verify, patch, and monitor—your codebase (and national security) may depend on it.

(Word count: 812)


Original source: TechCrunch – Notepad++ says Chinese government hackers hijacked its software updates for months