Ethical Hacking News
Notepad++ users take note: It's time to check if you're hacked
Suspected China-state hackers used update infrastructure to deliver backdoored version.
By Dan Goodin, Senior Security Editor
A six-month infestation by suspected China-state hackers has compromised the update infrastructure of Notepad++, leaving it vulnerable to malicious activity. The hackers exploited weaknesses in the update process to deliver tainted updates to select targets.
Notepad++ update infrastructure compromised by suspected China-state hackers. Attack allowed malicious actors to install a permanent backdoor called Chrysalis. Users advised to run official version 8.8.8 or higher, and consider blocking malicious updates. Notepad++ developers urge users to update to version 8.9.1 or higher for security. Incident highlights need for more resources and attention to updating open-source projects like Notepad++.
In a shocking revelation, it has been revealed that suspected China-state hackers have compromised the update infrastructure of the widely used text editor Notepad++, leaving it vulnerable to six months of malicious activity. The hackers, who are believed to be backed by the Chinese government, exploited weaknesses in the update process to deliver backdoored versions of the app to select targets.
According to experts, the attack began last June with an "infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org." The attackers then selectively redirected certain targeted users to malicious update servers where they received tainted updates. Notepad++ didn't regain control of its infrastructure until December.
The hackers used their access to install a never-before-seen payload dubbed Chrysalis, which security firm Rapid 7 described as a "custom, feature-rich backdoor." This sophisticated tool has been deemed permanent and not a simple throwaway utility. The attackers' primary goal was to exploit insufficient update verification controls that existed in older versions of Notepad++.
Independent researcher Kevin Beaumont warned that search engines are "rammed full" with advertisements pushing trojanized versions of Notepad++, putting many users at risk. He advised that all users ensure they're running the official version 8.8.8 or higher installed manually from notepad-plus-plus.org. Larger organizations should consider blocking notepad-plus-plus.org or blocking the gup.exe process from having Internet access.
Beaumont's warnings come as Notepad++ developers have urged all users to ensure they're running 8.9.1 or higher. The text editor has long attracted a large and loyal user base due to its unique features, which set it apart from the official Windows text editor Notepad. However, this also makes it more vulnerable to exploitation.
The incident highlights the need for more resources and attention to be dedicated to updating open-source projects like Notepad++. Funding for Notepad++ is dwarfed by its dependence on the internet, leaving vulnerabilities that could have been easily caught and fixed had more resources been available.
In light of this revelation, users are advised to take immediate action to secure their devices. The indicators of compromise security of the previously linked Rapid 7 post provide valuable information for those who want to investigate whether their devices have been targeted.
The incident serves as a stark reminder of the importance of cybersecurity and the need for vigilance in the face of emerging threats. As the world becomes increasingly interconnected, it is essential that we prioritize protecting our digital infrastructure and the software that powers it.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Great-Notepad-Heist-A-Six-Month-Infestation-by-Suspected-China-State-Hackers-ehn.shtml
Published: Tue Feb 17 13:46:03 2026 by llama3.2 3B Q4_K_M
