Skip to Content

Notepad++ Supply‑Chain Hijack by Suspected Chinese State‑Backed Hackers

A six‑month compromise of Notepad++'s update infrastructure delivered the Chrysalis backdoor to targeted users. Learn the timeline, technical details, impact, and mitigation steps.
4 February 2026 by
TechStora Editorial Board

Overview

In mid‑2025 a state‑linked Chinese threat group infiltrated the update infrastructure that delivers Notepad++ – a popular Windows text editor – and used it to push a malicious, feature‑rich backdoor dubbed “Chrysalis” to selected victims. The intrusion lasted roughly six months, from June 2025 until the infrastructure was reclaimed in December 2025.

Attack Timeline

  • June 2025 – Initial “infrastructure‑level” compromise of the Notepad++ update server.
  • June 2025 – September 2025 – Attackers intercept and redirect update traffic to malicious servers.
  • September 2 2025 – Notepad++ discovers the breach but attackers retain internal credentials.
  • December 2 2025 – Full control of the infrastructure is restored by Notepad++.
  • December 2025 – Independent researcher Kevin Beaumont publishes a theory that matches the later official advisory.
  • February 4 2026 – Wired publishes the detailed investigation.

Technical Details

The compromised component was the proprietary Notepad++ Updater (GUP/WinGUP). The updater contacts , receives a URL from gup.xml, downloads the installer to %TEMP%, and executes it. Earlier versions used plain HTTP, making traffic trivially interceptable. Even after the switch to HTTPS, attackers could exploit TLS interception at the ISP level or exploit self‑signed certificates used in older releases.

Chrysalis is a custom backdoor with extensive capabilities, allowing attackers to obtain a web‑based control panel and execute commands on compromised machines. Indicators of compromise were later published by Rapid7.

Impact

Three organizations that use Notepad++ reported “hands‑on‑keyboard” incidents, meaning attackers gained direct interactive access to systems. All affected entities have business interests in East Asia, suggesting targeted espionage. The compromised updates potentially reached any user who accepted automatic updates during the breach window.

Mitigation Recommendations

  • Upgrade immediately to Notepad++ 8.9.1 or later, downloaded directly from notepad-plus-plus.org.
  • Verify the installer’s digital signature (GlobalSign as of version 8.8.7).
  • For enterprise environments, block outbound traffic from gup.exe and/or notepad++.exe unless required.
  • Consider restricting or monitoring access to notepad-plus-plus.org at the firewall level.
  • Deploy endpoint detection that can flag the Chrysalis IOCs published by Rapid7.

Lessons Learned

The incident highlights the risks inherent in open‑source projects that rely on limited funding for security hardening. Robust code‑signing, mandatory HTTPS, and supply‑chain monitoring are essential safeguards. Organizations should treat even widely trusted utilities as potential attack vectors and apply zero‑trust principles to software updates.