Suspected Chinese state-backed hackers pulled off a six-month supply chain attack against Notepad++, hijacking the popular Windows text editor's update infrastructure to deliver a custom backdoor called Chrysalis to select targets. The breach, which lasted from June through December 2025, allowed attackers to intercept update traffic and redirect users to malicious servers, giving them direct control over compromised machines. Developers disclosed the incident Monday, apologizing to affected users and urging everyone to upgrade immediately.
The attack on Notepad++ represents one of the most sophisticated supply chain compromises targeting developer tools in recent memory. Suspected Chinese state hackers didn't just breach a single server - they maintained persistent access to the entire update delivery infrastructure for half a year, selectively weaponizing it against high-value targets.
"I deeply apologize to all users affected by this hijacking," the Notepad++ team wrote in a post published Monday to the official site. The attack began last June with what developers described as an "infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org."
The mechanics of the attack exploited weaknesses in Notepad++'s bespoke updater, known as GUP or WinGUP. The gup.exe executable contacts notepad-plus-plus.org to check for updates, retrieves download URLs from an XML file, and executes whatever it receives. Earlier versions transmitted this traffic over plain HTTP, and even after switching to HTTPS, the system used self-signed certificates that attackers could manipulate at the ISP level through TLS interception.
What makes this particularly dangerous is the surgical precision involved. Rather than carpet-bombing all Notepad++ users with malware, the attackers redirected only specific targets to malicious update servers. According to independent security researcher Kevin Beaumont, three organizations with interests in East Asia reported "security incidents" involving hands-on keyboard access - meaning hackers took direct control through web-based interfaces after successful compromise.
Rapid 7 analyzed the payload and dubbed it Chrysalis, describing it as a "custom, feature-rich backdoor" with capabilities indicating "a sophisticated and permanent tool, not a simple throwaway utility." The backdoor gave attackers extensive control over compromised systems, turning trusted developer workstations into espionage platforms.
The timeline reveals just how long attackers maintained their foothold. While Notepad++ regained control of its infrastructure by September 2, the hackers retained credentials to internal services until December 2, allowing them to continue redirecting update traffic for months after the initial breach was discovered. Event logs show they even attempted to re-exploit vulnerabilities after patches were deployed, though those attempts failed.
Beaumont first raised alarms in December when he noticed version 8.8.8 introduced bug fixes to "harden the Notepad++ Updater from being hijacked to deliver something ... not Notepad++." His suspicions proved prescient - Monday's official disclosure confirmed his working theory down to the technical details about TLS interception and certificate manipulation.
The attack highlights a broader crisis in open source security. Notepad++ has attracted millions of loyal users because it offers features unavailable in Windows' built-in Notepad, and Microsoft's recent push to integrate Copilot AI into Notepad has only driven more users to the alternative editor. Yet like countless open source projects, Notepad++'s funding doesn't match its importance to the development ecosystem.
Making matters worse, Beaumont warned that search engines are "rammed full" of advertisements pushing trojanized versions of Notepad++. Many organizations are unknowingly running compromised copies distributed through malicious ads and fake download sites. A wave of malicious browser extensions masquerading as Notepad++ tools compounds the threat.
The sophisticated nature of this attack - maintaining ISP-level traffic interception for six months, deploying custom backdoors, and targeting specific organizations - bears the hallmarks of state-sponsored espionage. Multiple investigators have tied the campaign to Chinese government hackers, though no formal attribution has been announced.
For enterprise security teams, this incident underscores the vulnerability of developer tools as attack vectors. Compromising a text editor used by programmers can provide access to source code, credentials, and internal systems across an organization. The fact that attackers maintained persistence for half a year suggests they extracted significant intelligence before detection.
The Notepad++ team has worked with their hosting provider and incident responders to secure the infrastructure and investigate the full scope of the breach. They've implemented additional verification controls and certificate pinning to prevent similar attacks, but the damage from six months of selective compromise may take years to fully understand.
This supply chain attack exposes how even widely trusted developer tools can become weapons in the hands of sophisticated state actors. Organizations should immediately audit their Notepad++ installations, upgrade to version 8.9.1 or higher, and check systems against the indicators of compromise published by Rapid 7. Beyond the immediate response, this incident demands a broader conversation about funding critical open source infrastructure - the security gaps that enabled six months of compromise could have been prevented with adequate resources. As state-sponsored hacking groups increasingly target software supply chains, the gap between what we depend on and what we fund becomes a national security liability.
