Ethical Hacking News
Notepad++ users may have unwittingly fallen victim to a sophisticated cyber attack. China-backed hackers compromised the update infrastructure of Notepad++, delivering malicious software to select targets, highlighting the need for improved cybersecurity measures.
A sophisticated attack compromised Notepad++'s update infrastructure, delivering backdoored versions to select targets. The attackers used a custom backdoor called Chrysalis, which has a wide array of capabilities and is described as a "permanent tool." Insufficient update verification controls in older versions of Notepad++ were exploited by the hackers. Users should ensure they're running version 8.8.8 or higher installed manually from notepad-plus-plus.org, according to independent researcher Kevin Beaumont. Larger organizations should consider blocking notepad-plus-plus.org or specific processes to prevent similar attacks.
The world of cybersecurity has witnessed its fair share of high-profile hacks and breaches, but a recent incident involving the popular free source code editor and note-taking app Notepad++ has left many users wondering about the state of their digital security. A sophisticated attack carried out by suspected China-state backed hackers has compromised the update infrastructure of Notepad++, delivering backdoored versions of the application to select targets.
According to information released by the developers of Notepad++, the attack began last June, when an "infrastructure-level compromise" allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org. The attackers then selectively redirected certain targeted users to malicious update servers where they received infected updates. Notepad++ regained control of its infrastructure until December.
The attackers used their access to install a never-before-seen payload that has been dubbed Chrysalis, which is described by security firm Rapid 7 as a "custom, feature-rich backdoor." This tool has a wide array of capabilities and indicates it is a sophisticated and permanent tool, not a simple throwaway utility.
According to independent researcher Kevin Beaumont, the attackers targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++. Event logs indicate that the hackers tried to re-exploit one of the weaknesses after it was fixed but that the attempt failed.
Beaumont explained that his suspicions were aroused when Notepad++ version 8.8.8 introduced bug fixes in mid-November to "harden the Notepad++ Updater from being hijacked to deliver something… not Notepad++." The update made changes to a bespoke Notepad++ updater known as GUP, or alternatively, WinGUP. The gup.exe executable responsible reports the version in use to https://notepad-plus-plus.org/update/getDownloadUrl.php and then retrieves a URL for the update from a file named gup.xml. The file specified in the URL is downloaded to the %TEMP% directory of the device and then executed.
Beaumont wrote that if you can intercept and change this traffic, you can redirect the download to any location it appears by changing the URL in the property. This traffic is supposed to be over HTTPS, however it appears you may be [able] to tamper with the traffic if you sit on the ISP level and TLS intercept. In earlier versions of Notepad++, the traffic was just over HTTP.
The downloads themselves are signed—however some earlier versions of Notepad++ used a self-signed root cert, which is on Github. With 8.8.7, the prior release, this was reverted to GlobalSign. Effectively, there’s a situation where the download isn’t robustly checked for tampering. Because traffic to notepad-plus-plus.org is fairly rare, it may be possible to sit inside the ISP chain and redirect to a different download.
To do this at any kind of scale requires a lot of resources. Beaumont published his working theory in December, two months to the day prior to Monday’s advisory by Notepad++. Combined with the details from Notepad++, it’s now clear that the hypothesis was spot on. Beaumont also warned that search engines are so “rammed full” of advertisements pushing trojanized versions of Notepad++ that many users are unwittingly running them inside their networks.
A rash of malicious Notepad++ extensions only compounds the risk. He advised that all users ensure they’re running the official version 8.8.8 or higher installed manually from notepad-plus-plus.org. Since he penned that advice, Notepad++ developers have urged all users to ensure they’re running 8.9.1 or higher.
Larger organizations that manage Notepad++ and update it, he said, should consider blocking notepad-plus-plus.org or block the gup.exe process from having internet access. “You may also want to block internet access from the notepad++.exe process, unless you have robust monitoring for extensions,” he added, but cautioned “for most organisations, this is very much overkill and not practical.”
Users who want to investigate whether their devices have been targeted should refer to the indicators of compromise security of the previously linked Rapid 7 post.
Notepad++ has long attracted a large and loyal user base because it offers functions that aren’t available from the official Windows text editor Notepad. Recent moves by Microsoft to integrate Copilot AI into Notepad have driven further interest in the alternative editor. Alas, like so many other open source projects, funding for Notepad++ is dwarfed by the dependence the internet places on it.
The weaknesses that made the six-month compromise possible could easily have been caught and fixed had more resources been available.
This story originally appeared on Ars Technica.
Related Information:
https://www.ethicalhackingnews.com/articles/Notepad-Update-Hacked-China-Backed-Hackers-Exploit-Vulnerability-to-Deliver-Malicious-Software-ehn.shtml
https://www.wired.com/story/notepad-plus-plus-china-hackers-update-infrastructure/
https://notepad-plus-plus.org/news/hijacked-incident-info-update/
https://arstechnica.com/security/2026/02/notepad-updater-was-compromised-for-6-months-in-supply-chain-attack/
Published: Wed Feb 4 14:09:01 2026 by llama3.2 3B Q4_K_M
