Two Notepad Attacks in One Week: Your Tools Are the Target

Software supply chain attacks more than doubled in 2025, with developer workstations identified as high-value targets across multiple industry reports (ReversingLabs, 2026). In the first two weeks of February 2026, two completely unrelated security incidents hit two different text editors both called "Notepad," exposing how the tools developers trust most are becoming the tools attackers exploit first.

One was a state-sponsored supply chain compromise that ran undetected for six months. The other was a feature-creep vulnerability that turned a simple text file into a remote code execution path. Together, they represent the two ways your developer toolchain becomes an attack surface: through the delivery mechanism and through the tool itself.

Get threat intelligence like this delivered to your inbox. Subscribe to CyberDesserts for practical security insights, no fluff.

Incident 1: Notepad++ Update Server Hijacked for 6 Months

A Chinese state-sponsored group compromised Notepad++ hosting infrastructure between June and December 2025, using it to deliver custom backdoors and Cobalt Strike payloads to targeted organisations.

The attackers did not exploit a vulnerability in Notepad++ code. They compromised the shared hosting provider and hijacked the update mechanism to serve malicious installers. Older versions of Notepad++ did not cryptographically verify that updates came from legitimate sources. That gap gave attackers a clean delivery channel to selected targets across government, finance, and IT sectors in Southeast Asia, Central America, and Australia.

Rapid7's MDR team discovered a previously undocumented backdoor they named Chrysalis during incident response. Kaspersky's GReAT team independently identified three distinct infection chains rotated roughly monthly to evade detection.

The full breakdown of indicators, affected versions, and detection guidance is in our detailed coverage: Notepad++ Compromised for 6 Months: Check Your Version Now.

Incident 2: Windows Notepad Markdown Feature Enables RCE

Two days after the Notepad++ story broke, Microsoft patched CVE-2026-20841, an 8.8-rated remote code execution vulnerability in the Windows Notepad app. Completely different software, completely different attack vector.

Microsoft added Markdown rendering to Notepad in 2025 as part of a broader modernisation push. That feature introduced clickable links, protocol handling, and content rendering behaviours that previously only existed in browsers and document viewers. The problem: Notepad failed to properly sanitise link content before passing it to the operating system for handling.

An attacker crafts a Markdown file with a malicious link. A user opens it in Notepad and clicks the link. Notepad hands an untrusted URI to the system, which launches associated handlers or processes without the standard Windows security prompts. Code executes with the logged-in user's permissions.

Proof-of-concept code is already public on GitHub. Microsoft's fix, delivered through the Microsoft Store as Notepad version 11.2510, adds a warning dialog for non-HTTP links rather than blocking them entirely. The legacy Notepad.exe bundled with Windows is not affected.

The vulnerability was reported by appsec engineer Cristian Papa, security researcher Alasdair Gorniak, and a researcher known as "Chen." Microsoft confirmed no known exploitation in the wild at the time of patching.

Two Different Attacks, One Shared Lesson

These incidents are unrelated technically but connected strategically. Both exploit the implicit trust that developers and administrators place in their everyday tools.

The Notepad++ compromise targeted the delivery mechanism. Attackers did not need to find a bug in the software. They compromised the infrastructure that delivered it, weaponising the update process itself. This is the supply chain attack model: why pick one lock when you can poison the key distributor?

The Windows Notepad vulnerability targeted the tool's expanded functionality. Every new feature Notepad gained (Markdown rendering, clickable links, protocol handling) added attack surface that did not exist when it was a plain text editor. This is the feature-creep risk model: useful capabilities introduce security assumptions that nobody tested.

Ready to assess your own supply chain risk? See our complete guide to npm security and package vulnerabilities for hands-on scanning and detection.

Developer Workstations Are the Blindspot

Sonatype's 2026 State of the Software Supply Chain report found over 1.2 million malicious open source packages in circulation, with npm as the dominant delivery channel. The Lazarus Group alone published more than 800 malicious packages in 2025, concentrated overwhelmingly in npm because it provides the fastest path from package publication to developer workstation.

Developer machines sit at the intersection of everything attackers want. They hold source code, credentials, API tokens, cloud access keys, and deployment authority. They connect to package registries, internal repositories, CI/CD pipelines, and production environments. And they typically run with the most permissive network policies in the organisation because developers need access to dozens of external services to do their work.

The Notepad++ attackers understood this. Their C2 domains (cdncheck.it.com, safe-dns.it.com, api.wiresguard.com) were chosen specifically to blend into legitimate developer traffic. The Windows Notepad vulnerability exploits the same assumption from the opposite direction: Markdown files are documentation. Developers open documentation constantly. Nobody expects a README to execute code.

ReversingLabs' 2026 report documented attacks that specifically target developer tooling, including IDE extensions that steal credentials and survive reboots, compromised GitHub Actions that leak CI/CD secrets into public build logs, and maintainer account takeovers that push malicious updates through trusted channels.

The consistent pattern is attackers targeting the tools developers already use.

What Defenders Should Do This Week

For the Notepad++ compromise:

Update to version 8.9.1 by downloading directly from notepad-plus-plus.org. Do not rely on the auto-updater if you are running an older version. Hunt for the indicators detailed in our full Notepad++ coverage, particularly temp.sh DNS queries and the whoami/tasklist/systeminfo/netstat command sequence in endpoint logs.

For CVE-2026-20841:

Verify your Windows Notepad version is 11.2510 or later through the Microsoft Store. If your organisation does not manage Store app updates centrally, this patch may not reach endpoints automatically. Consider blocking or flagging .md file attachments at email gateways. Tune EDR rules to alert on Notepad spawning child processes or making outbound network connections.

For the bigger picture:

Audit your developer workstation security posture. These two incidents highlight that developer endpoints need the same (or stricter) security controls as any other endpoint in the network. Review egress policies, enforce zero trust principles on developer segments, and ensure software update mechanisms across your toolchain use cryptographic verification.

For a deeper look at how supply chain attacks exploit developer trust relationships, see our Gartner supply chain security retrospective and the broader npm security guide.

Summary

Two text editors called "Notepad" hit the security news in the same week for entirely different reasons. One was compromised through its infrastructure. The other was compromised through its features. Both succeeded because developers trust their tools implicitly.

Software supply chain attacks doubled in 2025. Over 1.2 million malicious packages are circulating in open source registries. Developer workstations are the fastest path from initial access to production compromise. These two incidents are not anomalies. They are the pattern.

Your developer toolchain is part of your attack surface. Treat it that way.

Last updated: February 2026

References and Sources

1. Rapid7 Labs. (2026). The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's Toolkit. Technical malware analysis by Ivan Feigl documenting the backdoor delivered through compromised Notepad++ updates.
2. Kaspersky GReAT. (2026). The Notepad++ Supply Chain Attack: Unnoticed Execution Chains and New IoCs. Analysis by Georgy Kucherin and Anton Kargin documenting three infection chains.
3. Microsoft Security Response Center. (2026). CVE-2026-20841 Security Advisory. Vulnerability disclosure and patch guidance for Windows Notepad Markdown RCE. CVSS 8.8.
4. Help Net Security. (2026). Windows Notepad Markdown feature opens door to RCE. Coverage of CVE-2026-20841 including researcher attribution and exploitation details.
5. Sonatype. (2026). 2026 State of the Software Supply Chain Report. Over 1.233 million malicious open source packages identified, with npm as dominant delivery channel. 9.8 trillion downloads across major registries.
6. ReversingLabs. (2026). 2026 Software Supply Chain Security Report. Documentation of attacks targeting developer tooling, IDE extensions, and AI development pipelines. Open source malware up 73%.

Developer tools are under attack from multiple directions. Subscribers get notified when new threats target the software development toolchain, plus weekly practical security content. No sales pitches, no fluff.

This article is part of the supply chain security coverage. See also: Notepad++ Compromised for 6 Months | npm Security: The Complete Guide | Gartner Supply Chain Retrospective