Notepad++ Supply Chain Compromise Impacts Official Update Infrastructure

Infrastructure Compromise
Between June and December 2025, attackers breached the shared hosting environment used to deliver Notepad++ updates, targeting the WinGUp updater component.

Selective Redirection Model
Rather than infecting all users, attackers implemented IP-based filtering. High-value organizations in telecom, government, and financial sectors across Southeast Asia and Europe were redirected to attacker-controlled servers, while others received legitimate updates.

Execution Technique
The malicious package leveraged DLL side-loading, abusing a digitally signed binary to load a malicious DLL and bypass EDR controls.

Backdoor Deployment
The Chrysalis backdoor established persistence through disguised Windows services and hidden directories, enabling long-term access.

Impact and Smarttech247's Recommended Actions

Operational Impact
The compromise enabled remote command execution, credential harvesting, data staging and exfiltration, and included a self-delete mechanism to evade forensic analysis. The selective targeting allowed the campaign to remain undetected for several months.

Validate Installation Integrity
Confirm Notepad++.exe is digitally signed by “Notepad++” and the signature is valid. If invalid or missing, treat the system as compromised.
(Ref: MITRE ATT&CK M1051)

Respond to Confirmed Compromise
Isolate the affected host, reimage the system, and rotate all credentials accessed or stored on the device.

Strengthen Preventative Controls
Enforce MFA across corporate domains and critical third-party tools, implement registrar locks at the DNS provider level, and maintain an authorized software list to ensure downloads only occur from verified sources.

‍

References

https://notepad-plus-plus.org/news/hijacked-incident-info-update/

https://thehackernews.com/2026/02/notepad-official-update-mechanism.html

Download the Full Report