Between June and December 2025, a sophisticated supply chain attack targeted the official update system of Notepad++. This incident allowed attackers to deliver spyware to specific users by hijacking the project's infrastructure.
Table of Contents
Quick Summary
The breach did not involve a flaw in the Notepad++ code itself. Instead, attackers compromised the shared hosting provider where the project was located.
They used this access to redirect update requests to malicious servers. Affected users received a custom backdoor named Chrysalis instead of a legitimate software patch.
How the Attack Occurred
The compromise took place at the infrastructure level. Notepad++ was hosted on a shared server. This means it shared space with other websites. Attackers gained access to the server and intercepted update requests from the WinGUp updater tool.
The Technical Gap
Older versions of Notepad++ did not verify the security certificates or signatures of the files they downloaded. The updater simply trusted the URL provided by the server. Attackers swapped the real download link with a link to their own malicious server.
Targeted Espionage
This was not a mass infection of millions of users. Security firms like Rapid7 and Kaspersky found the attack was "highly selective". The attackers manually chose specific targets in the government, financial, and telecommunications sectors.
WARNING: If you are running any version of Notepad++ older than 8.9.1, do not use the built-in "Check for Updates" feature. This mechanism was the primary path for the infection.
The Malware: Chrysalis
The primary payload was a previously undocumented backdoor called Chrysalis. This malware allowed attackers to perform several actions on a victim's machine:
- Remote Shell: It created an interactive command-line shell for full remote control.
- File Theft: It could read, write, and exfiltrate files back to the attackers.
- Reconnaissance: It collected information about the system, user accounts, and running processes.
- Persistence: It created Windows services to ensure it remained active after a reboot.
To hide, the malware used DLL sideloading. This is a technique where a legitimate, trusted programme is tricked into loading a malicious library. In this case, the attackers abused a renamed Bitdefender tool to load the spyware.
Practical Verification: Is Your System Compromised?
Security researchers have identified several Indicators of Compromise (IoCs). Check your system for the following signs:
- Strange Folders: Look for a directory named
Bluetoothinside your%AppData%folder. (Note: This is a hidden folder for malware, not the legitimate Windows Bluetooth service). - Suspicious Files: Check your temporary files folder for
AutoUpdater.exeorupdate.exe. Legitimate Notepad++ updates do not use these filenames. - Network Activity: Monitor for connections to the IP address
95.179.213.0or the domainapi.skycloudcenter.com. - Unknown Processes: Look for
BluetoothServices.exerunning in Task Manager.
Limitations and Risks
Even if you run a malware scan today, it may not find everything.
- Attacker Persistence: Attackers remained active for six months. If they gained "hands-on-keyboard" access, they may have moved to other parts of your network.
- Undiscovered Chains: Researchers believe there may be other infection chains that have not yet been publicly identified.
- Detection Gaps: Some security tools may miss Chrysalis because it uses advanced obfuscation techniques like Microsoft Warbird.
Common Mistakes
- Relying on "Clean" Scans: A basic antivirus scan might not detect a nation-state backdoor. If you are a high-value target, a full OS reinstall is the safest path.
- Updating via the App: Using the built-in updater on older versions could re-trigger the redirection if the old hosting infrastructure is still cached.
- Ignoring Old Versions: Users often think old software is "safer" because it doesn't change. In this case, failing to update left the door open for months.
Frequently Asked Questions
1. Am I affected by the Notepad++ breach?
You are potentially affected if you used the built-in auto-updater (WinGUp) between June and December 2025. Specifically, versions prior to 8.8.9 lacked the certificate verification required to block this attack.
2. How to check for Chrysalis Malware?
List of Indicators of Compromise (IoCs) mentioned by Rapid7 and Kaspersky:
- Directory:
%AppData%\Bluetooth(This is a hidden folder created by the malware). - Files:
update.exeorAutoUpdater.exein the Temp folder. - Process:
BluetoothServices.exe(a renamed Bitdefender tool used for DLL sideloading). - Network: Connections to
api.skycloudcenter.comor IP95.179.213.0.
3. What to do If your system affected by the Malware?
The Recommended Solution: Do not rely on the internal updater of older versions.
- Manually download Notepadd++ version 8.9.1 or higher from the official
notepad-plus-plus.orgwebsite. - Verify the signature: New versions (v8.9.2+) enforce mandatory XML and installer signature verification (XMLDSig).
Conclusion
Notepad++ has moved to a new hosting provider with better security. Version 8.9.1 and higher include mandatory signature verification, making this specific attack nearly impossible to repeat.
When to Use: Notepad++ remains a powerful, lightweight tool for developers and sysadmins. If you are running the latest version, the current infrastructure is secure.
When to Reconsider: If you work in a high-security environment and cannot guarantee manual updates, consider editors with managed distribution paths, such as those found in the Microsoft Store or via central package managers.
If you're currently using Notepad++, check its versions. Manual updates are mandatory. And more importantly verify your files.
Stay secure.
Read Next:
Further Reading:
