Ethical Hacking News
Notepad++, a popular free source code editor and note-taking app for Windows, was compromised by suspected Chinese state-backed hackers who used their control to deliver backdoored versions of the app to select targets. The attackers installed a never-before-seen payload, dubbed Chrysalis, which has been described as a "custom, feature-rich backdoor." Cybersecurity experts are warning users about the risks and urging them to ensure they’re running the official version 8.8.8 or higher installed manually from notepad-plus-plus.org.
Notepad++ was compromised by suspected Chinese state-backed hackers who delivered backdoored updates to select targets. The attackers used a sophisticated payload called Chrysalis, which is a permanent and feature-rich backdoor. Three separate organizations reported experiencing security incidents after installing Notepad++, all with interests in East Asia. The attack exploited insufficient update verification controls that existed in older versions of Notepad++. The vulnerability was due to the use of a self-signed root cert, which could be tampered with. Users are advised to run official version 8.8.8 or higher installed manually from notepad-plus-plus.org to avoid risks.
In a shocking revelation that has sent ripples through the cybersecurity community, it has been revealed that the popular free source code editor and note-taking app for Windows, Notepad++, was compromised by suspected Chinese state-backed hackers. The attackers, who used their control to deliver backdoored versions of the app to select targets, demonstrated an unprecedented level of sophistication and cunning.
According to independent researcher Kevin Beaumont, the attack began last June with an "infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for Notepad++'s official update infrastructure." The attackers then selectively redirected certain targeted users to malicious update servers where they received backdoored updates. This brazen move allowed the hackers to install a never-before-seen payload, dubbed Chrysalis, which has been described as a "custom, feature-rich backdoor."
Security firm Rapid 7 characterized Chrysalis as a "sophisticated and permanent tool, not a simple throwaway utility." The payload's wide array of capabilities indicates that it is a sophisticated and long-lasting instrument, designed to provide the attackers with a high degree of control over compromised Notepad++ installations. This has left cybersecurity experts scrambling to understand the full extent of the attack and to warn users about the risks.
According to incident logs, the hackers tried to re-exploit one of the weaknesses after it was fixed but that the attempt failed. The attack was not limited to a single user or organization, as three separate organizations told independent researcher Kevin Beaumont that devices inside their networks that had Notepad++ installed experienced "security incidents" that "resulted in hands-on keyboard threat actors." All three of these organizations have interests in East Asia.
Researchers believe that the attackers targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++. The update made changes to a bespoke Notepad++ updater known as GUP, or alternatively, WinGUP. The gup.exe executable responsible reports the version in use to https://notepad-plus-plus.org/update/getDownloadUrl.php and then retrieves a URL for the update from a file named gup.xml. This traffic is supposed to be over HTTPS, however it appears you may be able to tamper with the traffic if you sit on the ISP level and TLS intercept.
Earlier versions of Notepad++ used a self-signed root cert, which is on Github. With 8.8.7, the prior release, this was reverted to GlobalSign. Effectively, there’s a situation where the download isn’t robustly checked for tampering. This has left researchers and cybersecurity experts scrambling to understand how the attackers were able to exploit this vulnerability.
Beaumont warned that search engines are so "rammed full" of advertisements pushing trojanized versions of Notepad++ that many users are unwittingly running them inside their networks. A rash of malicious Notepad++ extensions only compounds the risk. He advised that all users ensure they’re running the official version 8.8.8 or higher installed manually from notepad-plus-plus.org.
Larger organizations that manage Notepad++ and update it, he said, should consider blocking notepad-plus-plus.org or block the gup.exe process from having internet access. However, cautioning "for most organisations, this is very much overkill and not practical." Users who want to investigate whether their devices have been targeted should refer to the indicators of compromise security of the previously linked Rapid 7 post.
Notepad++ has long attracted a large and loyal user base because it offers functions that aren’t available from the official Windows text editor Notepad. Recent moves by Microsoft to integrate Copilot AI into Notepad have driven further interest in the alternative editor. Alas, like so many other open source projects, funding for Notepad++ is dwarfed by the dependence the internet places on it.
The weaknesses that made the six-month compromise possible could easily have been caught and fixed had more resources been available. As the cybersecurity community continues to grapple with the implications of this attack, one thing is clear: the use of vulnerabilities in widely-used software can have far-reaching consequences for users around the world.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Web-of-Deception-The-Sinister-Forces-Behind-Notepads-Compromised-Update-Infrastructure-ehn.shtml
https://www.wired.com/story/notepad-plus-plus-china-hackers-update-infrastructure/
https://arstechnica.com/security/2026/02/notepad-updater-was-compromised-for-6-months-in-supply-chain-attack/
https://www.pcmag.com/news/chinese-hackers-hit-notepad-plus-plus-to-serve-malicious-update
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://cloud.google.com/security/resources/insights/apt-groups
Published: Wed Feb 18 08:24:11 2026 by llama3.2 3B Q4_K_M
