Suspected Chinese state-backed hackers pulled off a six-month supply chain attack against Notepad++, hijacking the popular Windows text editor's update infrastructure to deliver a custom backdoor called Chrysalis to select targets. The breach, which lasted from June through December 2025, allowed attackers to intercept update traffic and redirect users to malicious servers, giving them direct control over compromised machines. Developers disclosed the incident Monday, apologizing to affected users and urging everyone to upgrade immediately.
The attack on Notepad++ represents one of the most sophisticated supply chain compromises targeting developer tools in recent memory. Suspected Chinese state hackers didn't just breach a single server - they maintained persistent access to the entire update delivery infrastructure for half a year, selectively weaponizing it against high-value targets.
"I deeply apologize to all users affected by this hijacking," the Notepad++ team wrote in a post published Monday to the official site. The attack began last June with what developers described as an "infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org."
The mechanics of the attack exploited weaknesses in Notepad++'s bespoke updater, known as GUP or WinGUP. The gup.exe executable contacts notepad-plus-plus.org to check for updates, retrieves download URLs from an XML file, and executes whatever it receives. Earlier versions transmitted this traffic over plain HTTP, and even after switching to HTTPS, the system used self-signed certificates that attackers could manipulate at the ISP level through TLS interception.
What makes this particularly dangerous is the surgical precision involved. Rather than carpet-bombing all Notepad++ users with malware, the attackers redirected only specific targets to malicious update servers. According to independent security researcher Kevin Beaumont, three organizations with interests in East Asia reported "security incidents" involving hands-on keyboard access - meaning hackers took direct control through web-based interfaces after successful compromise.
