BACK TO NEWS
ResearchLow

Chinese APT Exploits Notepad++ Supply Chain in Targeted Attack

2 min readSource: Schneier on Security

Notepad++ update infrastructure was compromised for 6 months, delivering malware to selected users via trojanized versions. Update to v8.9.1+ immediately.

Chinese APT Exploits Notepad++ Supply Chain in Targeted Attack

A Chinese state-sponsored threat actor compromised the Notepad++ update infrastructure in a sophisticated supply chain attack, delivering trojanized versions of the popular text editor to selected targets. The breach persisted for nearly six months, with attackers maintaining access to internal services for an additional three months after initial remediation attempts.

Technical Details

The attack exploited insufficient update verification controls in older Notepad++ versions. According to incident responders:

  • The unnamed hosting provider's infrastructure remained compromised until September 2, 2025
  • Attackers retained credentials to internal services until December 2, 2025, enabling continued redirection of update traffic to malicious servers
  • Event logs show failed re-exploitation attempts after vulnerabilities were patched
  • The threat actor specifically targeted Notepad++'s domain to bypass legacy update verification mechanisms

Notepad++ officials confirmed that only versions prior to 8.9.1 are vulnerable to this supply chain attack. The company has not disclosed the total number of affected users but emphasized the attack was "highly targeted" rather than widespread.

Impact Analysis

This incident demonstrates the growing sophistication of supply chain attacks by advanced persistent threats (APTs). Key risks include:

  • Selective targeting: Attackers could deliver malware to specific organizations or individuals while maintaining legitimate updates for others
  • Long-term persistence: The 6-month compromise window allowed for extensive reconnaissance and payload delivery
  • Update hijacking: The ability to redirect update traffic even after initial remediation highlights the challenges of fully securing software distribution channels

Recommendations

Security teams should:

  1. Immediately verify all Notepad++ installations are updated to version 8.9.1 or later
  2. Audit systems for signs of compromise, particularly those running older versions
  3. Review update mechanisms for other critical software to identify similar verification gaps
  4. Monitor for unusual update behavior, such as unexpected redirects or certificate changes
  5. Implement code signing verification for all software updates as a defense-in-depth measure

The Notepad++ team has not released specific indicators of compromise (IOCs) but advises organizations to treat any unexpected update behavior as potentially malicious.

Share

TwitterLinkedIn