Table of Contents
Is my Notepad++ version safe after the 2025 state hacker attack?
Critical Security Advisory: Notepad++ Supply Chain Compromise
State-sponsored actors successfully compromised the Notepad++ update infrastructure between June and December 2025. If you manage Windows endpoints or use this editor personally, you must verify your current installation immediately. This breach exploited the software’s hosting environment rather than its source code, delivering malware to select targets via the auto-update mechanism.
The Breach Timeline and Mechanics
Investigations confirm that attackers intercepted network traffic destined for notepad-plus-plus.org from June 2025 through December 2, 2025. This was a Man-in-the-Middle (MitM) attack facilitated by a compromise at the project’s former hosting provider.
- The Vector: The attackers gained administrative access to the hosting provider’s shared server. Although they lost server access on September 2, 2025, they retained internal service credentials until December 2, 2025.
- The Exploit: The vulnerability lay in the older WinGUp updater client. It lacked sufficient integrity validation for downloaded files. Attackers exploited this gap to swap legitimate updates with malicious binaries.
- The Payload: Redirected users downloaded the Chrysalis backdoor. Security researchers identified this malware as a tool for persistent access and espionage.
Attribution and Targeting
Security firms, including Rapid7 and Malwarebytes, attribute this campaign to Lotus Blossom (also known as Billbug or Lotus Panda), a threat group aligned with Chinese state interests.
The attack was highly selective. Unlike mass ransomware campaigns, this operation targeted specific IP addresses and user profiles. The attackers filtered traffic, redirecting only high-value targets to malicious update manifests while allowing standard users to download legitimate files. This strategy helped the campaign evade detection for six months.
Technical Analysis and Indicators of Compromise (IoCs)
The compromise triggered alerts when Microsoft Defender’s Attack Surface Reduction (ASR) rules blocked Notepad++ v8.8.3 processes in July 2025. Subsequent forensic analysis by Florian Roth and the Sigma team highlighted specific anomalies in the gup.exe updater process.
Key Detection Signals:
- Process Behavior: gup.exe spawning suspicious child processes or dropping unrecognized files.
- Network Activity: Unusual DNS requests originating from the updater executable.
- File Hash: Presence of the Chrysalis loader on the system.
Detailed YARA rules and Sigma detection configurations are available on GitHub for Security Operations Centers (SOCs) to implement.
Remediation and Actionable Steps
The developer patched the validation vulnerability in Notepad++ version 8.8.9, released on December 9, 2025. This version enforces strict digital signature verification, neutralizing the Man-in-the-Middle vector used in this campaign.
Immediate Recommendations:
- Audit Endpoints: Scan all networked machines for Notepad++ versions prior to 8.8.9.
- Update Immediately: Deploy version 8.8.9 or later to ensure the updater verifies file integrity before execution.
- Review Logs: Cross-reference network logs from June–December 2025 against the IoCs provided by Rapid7 and Florian Roth to confirm no targeted exfiltration occurred.
This incident underscores the importance of verifying software supply chains, even for trusted, open-source utilities.