Notepad++ Confirms Multi-Month Supply Chain Attack Attributed to Chinese APT Groups

The maintainer of the widely-used open-source text editor Notepad++ has disclosed a sophisticated supply chain attack that compromised the software's update mechanism for several months throughout 2025. In an official security advisory published Monday, Notepad++ lead developer Don Ho confirmed that threat actors, likely affiliated with Chinese state-sponsored groups, successfully hijacked the application's update infrastructure between June and December 2025.

The attribution to Chinese government-backed threat actors is based on comprehensive analysis conducted by cybersecurity researchers, which Ho suggests "would explain the highly selective targeting" observed during the campaign. However, specific metrics regarding the number of affected users or successfully compromised systems remain undisclosed at this time.

Notepad++ represents one of the longest-running open-source initiatives in the software development ecosystem, with over two decades of continuous development and deployment across tens of millions of installations worldwide, including enterprise environments across various sectors.

According to Kevin Beaumont, the security researcher who initially identified and documented the attack vector in December, the threat actors demonstrated precision targeting against a limited number of organizations "with interests in East Asia." Beaumont's analysis indicates that attackers achieved interactive access to compromised endpoints running the malicious Notepad++ builds.

Attack Vector and Technical Details:

While the complete attack chain remains under forensic investigation, Ho provided preliminary technical insights into the compromise methodology. The attack exploited vulnerabilities in the shared hosting infrastructure where the Notepad++ website was deployed. The threat actors specifically targeted the application's web domain to exploit a software vulnerability, enabling them to redirect update requests from legitimate users to attacker-controlled infrastructure.

This man-in-the-middle technique allowed the adversaries to serve malicious payloads disguised as legitimate software updates to targeted users. The vulnerability was patched in the November release, with attacker access definitively terminated in early December. Post-remediation monitoring revealed attempted re-exploitation of the patched vulnerabilities, though these attempts were unsuccessful following the security updates.

"We do have logs indicating that the bad actor tried to re-exploit one of the fixed vulnerabilities; however, the attempt did not succeed after the fix was implemented," Ho stated in the advisory.

Ho issued a formal apology regarding the incident and strongly recommends all users immediately upgrade to the latest version of Notepad++, which includes comprehensive patches addressing the exploited vulnerabilities.

Broader Supply Chain Security Context:

This incident bears similarities to the 2019-2020 SolarWinds compromise, where Russian state-sponsored threat actors infiltrated the company's build infrastructure and injected backdoors into legitimate software updates. That attack affected numerous Fortune 500 organizations and multiple U.S. government agencies, including the Departments of Homeland Security, Commerce, Energy, Justice, and State, as well as NASA and the Federal Aviation Administration.

The Notepad++ incident underscores the persistent and evolving threat landscape surrounding software supply chain attacks, highlighting the critical importance of secure software development lifecycle practices and update mechanism integrity.

Sources:
Notepad++ Official Security Advisory
Kevin Beaumont's Initial Analysis
Notepad++ v8.8.9 Release Notes
Notepad++ Latest Version Download