Notepad++ Compromised for 6 Months: Check Your Version Now

Notepad++ update servers were compromised from June through December 2025 by a Chinese state-sponsored threat group. The attackers hijacked the hosting infrastructure to deliver custom backdoors and Cobalt Strike payloads to targeted organisations across government, finance, and IT sectors.

Many of us use Notepad++ for log analysis, config editing, or code review, you need to verify your installation. Here is what happened, how to check if you are affected, and what defenders should look for.

Get threat intelligence like this delivered to your inbox. Subscribe to CyberDesserts for practical security insights, no fluff.

What Happened

This was not a vulnerability in Notepad++ itself. Attackers compromised the shared hosting provider that hosted the Notepad++ website and update infrastructure. According to the hosting provider's statement, the server was fully compromised until September 2, 2025. Even after losing direct server access, attackers retained credentials to internal services until December 2, 2025, allowing them to continue redirecting update traffic.

The attack specifically targeted the update mechanism. Older versions of Notepad++ did not cryptographically verify that updates actually came from legitimate sources. Attackers exploited this gap to serve malicious installers to selected targets.

Rapid7's MDR team discovered a previously undocumented backdoor they named Chrysalis during incident response on an affected system. Ivan Feigl and the Rapid7 Labs team published detailed malware analysis showing sophisticated capabilities including encrypted C2 communications, multiple persistence mechanisms, and a full interactive reverse shell.

Kaspersky's GReAT team independently identified three distinct infection chains used between July and October 2025. Georgy Kucherin and Anton Kargin documented how attackers rotated their delivery methods, downloaders, and final payloads roughly once per month to avoid detection.

Who Was Targeted

This was a targeted operation, not mass distribution. Kaspersky's telemetry identified attacks against:

• A government organisation in the Philippines
• A financial organisation in El Salvador
• An IT service provider in Vietnam
• Individual users in Vietnam, El Salvador, and Australia

Multiple security researchers assessed the threat actor as Lotus Blossom, a Chinese state-sponsored group active since 2009. The selective targeting explains why most Notepad++ users never encountered the malicious updates.

Why Developer Workstations Are the Blindspot

The C2 domains used in this campaign were deliberately chosen to blend into normal developer traffic: cdncheck.it.com, safe-dns.it.com, api.wiresguard.com, api.skycloudcenter.com. These look like legitimate infrastructure services.

Developer and admin workstations typically have the most permissive network policies in an organisation. They need access to package registries, documentation sites, APIs, and cloud services. This creates exactly the conditions attackers exploited.

What could have helped:

• Zero trust egress policies with domain allowlisting rather than default-allow
• DNS monitoring for unusual resolution patterns or newly registered domains
• Blocking temp.sh which attackers used to exfiltrate system information
• Network segmentation that applies to privileged users, not just general endpoints

The reality is that most organisations do not apply the same network controls to developer workstations that they apply to standard user endpoints. This attack demonstrates why that assumption is dangerous.

How to Check If You Are Affected

Step 1: Check your version

Open Notepad++ and go to Help, then About Notepad++. Any version before 8.8.9 lacked the security enhancements that verify update authenticity.

Step 2: Update immediately

Download version 8.9.1 directly from notepad-plus-plus.org. Do not rely on the auto-updater if you are running an old version. Run the installer manually to update.

Step 3: Check for indicators of compromise

The infection chains created specific artifacts that defenders can hunt for.

File system indicators:

• NSIS installer temp directory: %localappdata%\Temp\ns.tmp
• Malicious payload directories: %appdata%\ProShow, %appdata%\Adobe\Scripts, %appdata%\Bluetooth
• Suspicious files: load, alien.ini, BluetoothService in those directories

Network indicators:

• DNS queries to temp.sh (unusual in corporate environments)
• HTTP requests with temp.sh URLs embedded in the User-Agent header
• Connections to: 45.76.155.202, 95.179.213.0, 45.77.31.210
• Domains: cdncheck.it.com, safe-dns.it.com, self-dns.it.com, api.skycloudcenter.com, api.wiresguard.com

Command execution patterns:

The malware executed reconnaissance commands in sequence: whoami, tasklist, systeminfo, netstat -ano. Look for this pattern in endpoint detection logs, particularly when spawned by processes in the Notepad++ directory or %appdata% locations.

What Changed in the Fix

Version 8.8.9 introduced certificate and signature verification for downloaded installers. The upcoming version 8.9.2, expected within a month, will add XMLDSig signing of the update manifest XML and enforce verification by default.

The core issue was trust without verification. Older versions trusted that anything served from the update URL was legitimate. The fix ensures cryptographic verification of both the update metadata and the installer binary itself.

The Bigger Picture

This attack follows the same pattern seen in software supply chain compromises across the ecosystem. Attackers target the distribution mechanism rather than the code itself. They compromise update servers, package registries, or build pipelines to reach downstream users who trust those sources.

For a deeper look at supply chain security patterns and defences, see our coverage of npm security threats and the Gartner supply chain security retrospective.

As we have seen many times the developer toolchain is part of your attack surface. Every software update mechanism represents a trust relationship. If that trust is not verified cryptographically, you are depending on the security of every system between the vendor and your endpoint.

Key Takeaways

• Update to version 8.9.1 immediately by downloading directly from the official site
• Hunt for detection signals including temp.sh DNS queries, the shell command sequence, and suspicious %appdata% directories
• Review egress controls on developer and admin workstations where permissive policies enabled this attack
• Audit update mechanisms in your software deployment pipeline for cryptographic verification

Last updated: February 2026

Frequently Asked Questions

What is the Notepad++ supply chain attack?

A Chinese state-sponsored threat group compromised the hosting provider infrastructure for Notepad++ between June and December 2025. They used this access to redirect update traffic and deliver malware to targeted users.

Is my Notepad++ installation compromised?

Most users were not affected because attackers selectively targeted specific organisations. However, you should update to version 8.9.1 and check for the indicators of compromise listed above if you were running an older version during the compromise period.

What version of Notepad++ is safe?

Version 8.8.9 and later include security enhancements that verify update authenticity. Version 8.9.1 is the current recommended version. Download it directly from notepad-plus-plus.org.

How do I check my Notepad++ version?

Open Notepad++ and click Help, then About Notepad++. The version number appears in the dialog box.

Who discovered the Notepad++ compromise?

Rapid7's MDR team discovered the Chrysalis backdoor during incident response. Kaspersky's GReAT team independently identified multiple infection chains and provided additional indicators of compromise. The Notepad++ development team coordinated disclosure with their hosting provider.

What malware was distributed through Notepad++?

Attackers delivered the custom Chrysalis backdoor and Cobalt Strike Beacon payloads. The Chrysalis backdoor includes capabilities for remote shell access, file operations, and persistent C2 communication.

Were all Notepad++ users affected?

No. The attackers specifically targeted users at government organisations, financial institutions, and IT service providers in Southeast Asia, Central America, and Australia. This was a targeted espionage operation, not mass malware distribution.

References and Sources

1. Notepad++ Development Team. (2026). Hijacked Incident Info Update. Official disclosure including hosting provider statement and remediation timeline. https://notepad-plus-plus.org/news/hijacked-incident-info-update/
2. Rapid7 Labs. (2026). The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's Toolkit. Technical malware analysis by Ivan Feigl covering initial access, DLL sideloading, and backdoor capabilities. https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
3. Kaspersky GReAT. (2026). The Notepad++ Supply Chain Attack: Unnoticed Execution Chains and New IoCs. Analysis by Georgy Kucherin and Anton Kargin documenting three infection chains and comprehensive indicator list. https://securelist.com/notepad-supply-chain-attack/118708/

Supply chain attacks are evolving. Subscribers get notified when new threats emerge and when we publish detection guidance. No sales pitches, no fluff.