Notepad++ Hack Reveals Six-Month Backdoor Breach Targeting Millions of Users

Notepad++, one of Windows’ most widely used text editors, has confirmed a major security breach after its update infrastructure was compromised for nearly six months.

Developers say suspected China state–linked actors hijacked update traffic, delivering backdoored versions of the app to carefully selected targets.

How the Breach Happened

The compromise began in June 2025 at the infrastructure level. Attackers intercepted and redirected update requests intended for official Notepad++ servers, routing some users to rogue servers.

Full control over the compromised systems was only restored in December 2025, allowing malicious activity to go unnoticed for months.

Sophisticated Espionage Tool in the Form of Chrysalis Backdoor

Security researchers uncovered a previously unknown payload named Chrysalis, described by Rapid7 as a feature-rich, custom backdoor.

Its capabilities suggest a tool designed for long-term espionage, not simple malware. In several cases, attackers gained “hands-on keyboard” access, enabling real-time control of infected systems.

Updater Exploited Through Weak Verification

According to Ars Technica, the attackers exploited older versions of Notepad++’s updater, GUP/WinGUP, which relied on less robust verification methods.

By intercepting traffic, they altered download URLs and served malicious files. Without any question, it exposed the risks of under-secured update mechanisms at the ISP level.

Immediate Steps for Users and Organizations

Developers and security experts urge users to manually install Notepad++ version 8.9.1 or later from the official website.

For organizations, it’s recommended to restrict updater internet access and monitor installed extensions carefully.

Originally published on Tech Times