Full Report
Suspected Chinese state-backed hackers hijacked the Notepadd++ update infrastructure to deliver backdoored version of the popular free source code editor and note-taking app for Windows.
Analysis Summary
# Incident Report: Notepad++ Update Infrastructure Compromise
## Executive Summary
Suspected Chinese state-backed threat actors successfully compromised the update infrastructure for the Notepad++ text editor, granting them the ability to deliver a custom, sophisticated backdoor named 'Chrysalis' via trojanized updates to a select group of targeted users over approximately six months. The incident remained undetected until infrastructure control was regained in December, leading to urgent advisories for users to update to patched versions.
## Incident Details
- Discovery Date: Mid-November (Independent researcher raised theory); Officially acknowledged around February 3, 2026 (Monday).
- Incident Date: Attack began in June (Approx. June 2025).
- Affected Organization: Notepad++ Project (Update infrastructure provider host).
- Sector: Software Development/Distribution.
- Geography: Global distribution, targeted victims noted in East Asia.
## Timeline of Events
### Initial Access
- Date/Time: Beginning of June (2025)
- Vector: Infrastructure-level compromise/Exploitation of update verification weaknesses.
- Details: Attackers gained control over the infrastructure hosting Notepad++ updates, allowing them to intercept and redirect update traffic destined for `notepad-plus-plus.org`. Initial access exploited insufficient verification controls in older versions of Notepad++.
### Lateral Movement
- Details: Not explicitly detailed beyond control of the update delivery system. However, compromised targets experienced "hands on keyboard" access, suggesting successful execution of malware leading to full system compromise upon update installation.
### Data Exfiltration/Impact
- Details: Selectively redirected targeted users received updates containing the 'Chrysalis' backdoor. In at least three organizations with interests in East Asia, this resulted in threat actors gaining hands-on-keyboard control over internal systems.
### Detection & Response
- Date/Time: Update infrastructure control regained in December (2025).
- Details: Independent researcher (Kevin Beaumont) published a working theory in December. Notepad++ developers confirmed the compromise and released advisory on Monday (Feb 3, 2026). Fixes were implemented in version 8.8.8 (mid-November) hardening the updater (GUP), although infrastructure control wasn't fully restored until December 2.
## Attack Methodology
- Initial Access: Exploiting insufficient update verification controls in older Notepad++ versions to gain control of update infrastructure.
- Persistence: Maintained credentials to internal services until December 2, allowing sustained redirection of update traffic.
- Privilege Escalation: Not specified, but successful payload delivery granted system-level access (hands-on-keyboard).
- Defense Evasion: Deployment of a sophisticated, feature-rich, never-before-seen custom backdoor named 'Chrysalis'.
- Credential Access: Implied by "hands on keyboard" access on victim systems.
- Discovery: Not applicable to the threat actor in the initial phase; independent researcher observed anomalies leading to exposure.
- Lateral Movement: Successful deployment of malware/backdoor on target machines resulted in interactive control.
- Collection: Unknown details, but implied activity consistent with state-sponsored espionage goals.
- Exfiltration: Unknown, but characteristic of data theft associated with state-backed actors.
- Impact: Hands-on-keyboard access granted to select victims resulting in potential system takeover.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Undetermined scope, but involved potential compromise of systems within at least three organizations.
- Operational: Minimal operational impact on the Notepad++ project itself, but significant risk exposure for targeted end-users running backdoored versions.
- Reputational: Significant reputational impact following public disclosure by the project lead ("I deeply apologize to all users affected").
## Indicators of Compromise
- Network Indicators (Defanged): Traffic redirection from `notepad-plus-plus.org` services involved in update checks (e.g., `notepad-plus-plus.org/update/getDownloadUrl.php`).
- File Indicators: The novel 'Chrysalis' backdoor payload.
- Behavioral Indicators: Use of the Notepad++ GUP updater mechanism to download unsigned or improperly verified files from malicious mirrors. Older versions utilized HTTP instead of HTTPS, potentially allowing ISP-level TLS interception/tampering.
## Response Actions
- Containment measures: Update infrastructure control regained by December 2 (2025).
- Eradication steps: Developers rolled out patches (v8.8.8 and later v8.9.1) hardening the GUP updater mechanism against hijacking, reverting signing certificates to GlobalSign (from a self-signed root cert used previously).
- Recovery actions: Urging all users to manually update to official versions 8.8.8 or higher (ideally 8.9.1 or higher).
## Lessons Learned
- The necessity of robust, end-to-end encryption and strong signature verification (especially signed by trusted CAs like GlobalSign) for software update mechanisms. Earlier versions relying on HTTP or weakly verified certificates were vulnerable to infrastructure-level tampering.
- State-sponsored actors dedicate significant resources to compromising widely used, trusted supply chains (like open-source tools) to achieve broad reach.
- The risk posed by secondary infection vectors, such as trojanized versions distributed via search engine advertising, must be actively mitigated.
## Recommendations
- All users must immediately update Notepad++ to version 8.9.1 or later, ideally performing a manual download from the official source rather than relying on automatic updates until confidence in infrastructure stability is restored.
- Organizations managing Notepad++ deployment should audit their update configuration to ensure robust HTTPS enforcement and certificate validation for the GUP executable.
- Organizations should consider network-level blocking of traffic to `notepad-plus-plus.org` update endpoints if manual updates are being enforced centrally.