Notepad++ Hijacked for 6 Months by Chinese Hackers in Targeted Supply Chain Attack

For six months, millions of developers worldwide unknowingly used a text editor that had become a weapon in the hands of Chinese state hackers.

Notepad++, one of the most trusted alternatives to Windows' basic text editor, revealed Monday that its update infrastructure was completely compromised from June through December 2025. The attackers didn't just break in—they turned the software into a precision instrument for targeted espionage.

The Surgical Strike

This wasn't a spray-and-pray attack. While most users received legitimate updates, the hackers selectively redirected specific targets to malicious servers serving a sophisticated backdoor dubbed Chrysalis. Security firm Rapid7 described it as a "custom, feature-rich backdoor" with capabilities indicating it's "a sophisticated and permanent tool, not a simple throwaway utility."

The precision was chilling. Independent researcher Kevin Beaumont reported that three organizations with East Asian interests experienced "hands-on keyboard" intrusions—meaning hackers gained direct, interactive control of their systems through web interfaces.

Even after Notepad++ regained control of its infrastructure in September, the attackers maintained credentials until December, continuing to redirect selected update traffic to their malicious servers.

The Open Source Paradox

Notepad++ has surged in popularity as Microsoft integrates Copilot AI into Windows Notepad, driving users toward alternatives. But this incident exposes a fundamental paradox: the internet's most critical tools often run on shoestring budgets.

The vulnerability exploited was embarrassingly simple yet devastating. Older versions of Notepad++ used HTTP instead of HTTPS for update checks and relied on self-signed certificates that made tampering detection nearly impossible. The update process—handled by an executable called gup.exe—would check a URL, download an update file to the temporary directory, and execute it with minimal verification.

Beaumont explained the attack vector: "If you can intercept and change this traffic, you can redirect the download to any location by changing the URL in the property. This requires sitting at the ISP level and TLS interception, but for targeted attacks, this is entirely feasible."

Scale Meets Sophistication

What makes this attack particularly concerning is its scale. The hackers needed significant resources to maintain infrastructure-level compromise for six months while selectively targeting victims. This points to state-level capabilities rather than opportunistic cybercriminals.

The attack also highlights how search engines have become attack vectors themselves. Beaumont warned that search results for "Notepad++" are "rammed full" of advertisements pushing trojaned versions, creating additional infection pathways that many users unknowingly navigate.

The Trust Deficit

Users should immediately update to version 8.9.1 or higher, downloaded exclusively from the official notepad-plus-plus.org site. Organizations managing Notepad++ deployments should consider blocking update traffic entirely or restricting internet access for the update process.

But the technical fixes miss the larger question: How do we maintain trust in an ecosystem where critical infrastructure depends on underfunded open-source projects?

Notepad++ developers acknowledged that "the weaknesses that made the six-month compromise possible could easily have been caught and fixed had more resources been available." It's a sobering reminder that the software powering much of our digital world operates on volunteer time and donation-dependent budgets.