Notepad++ update system was hijacked to deliver backdoored releases

Ars Technica
Ars Technica 1m
Notepad++ developers disclosed that attackers controlled the app’s update delivery infrastructure for about six months starting in June, selectively redirecting some users to malicious servers that served backdoored updates until control was restored in December.
Notepad++ update system was hijacked to deliver backdoored releases
A What happened
According to a post on the official notepad-plus-plus.org site, the incident involved an infrastructure-level compromise that enabled interception and redirection of update traffic intended for notepad-plus-plus.org. Multiple investigators linked the activity to suspected China state-backed actors. The compromise enabled targeted delivery of a previously unseen backdoor payload dubbed “Chrysalis,” which Rapid7 described as a custom, feature-rich backdoor. Notepad++ said the hosting provider for the update infrastructure worked with incident responders and determined the environment remained compromised until September 2, and that Notepad++ regained control in December.

Why it matters

  • Supply-chain trust for a widely used Windows tool is undermined: Because the compromise affected the update channel rather than end-user behavior, organizations that allow Notepad++ updates may need to treat installed versions as potentially untrusted for the affected period.

  • Targeted redirection suggests selective victimization rather than broad infection: The use of selective update redirection indicates the operation was designed to reach specific users, complicating detection based on mass telemetry and increasing the value of endpoint-level forensics.

  • A new, full-featured backdoor raises remediation requirements: A “permanent tool” backdoor implies responders may need to assume persistence and credential exposure, not just a one-time malicious installer event.

Topics

Technology & Innovation Cybersecurity Big Tech

Be prepared — without the noise

Calm, decision-grade intelligence that flags when the operating environment changes — so you don’t have to track everything.

Create Free Account Sign In

DECISION-GRADE INTELLIGENCE

Get decision-grade intelligence in your inbox

A high-signal brief covering what changed — and what matters — delivered by email.

A handful of briefs — before your coffee gets cold.

No spam. Unsubscribe anytime. We don’t sell your email.