tech

February 3, 2026

Notepad++ users take note: It's time to check if you're hacked

Suspected China-state hackers used update infrastructure to deliver backdoored version.

Notepad++ users take note: It's time to check if you're hacked

TL;DR

  • Notepad++'s update infrastructure was compromised for six months by suspected China-state hackers.
  • The attackers used the compromised infrastructure to deliver backdoored versions of Notepad++ to select targets.
  • The attack began in June and control was not regained until December.
  • A custom, feature-rich backdoor named Chrysalis was installed on affected systems.
  • The attackers exploited insufficient update verification controls in older versions of Notepad++.
  • Independent researcher Kevin Beaumont noted security incidents in three organizations that used Notepad++, with attackers gaining hands-on keyboard access.
  • Notepad++ version 8.8.8 introduced fixes to harden the updater.
  • Older versions had weaker security, including HTTP traffic and self-signed root certificates for downloads.
  • Beaumont warned of trojanized versions of Notepad++ being pushed through search engine advertisements.
  • Users are advised to ensure they are running official versions 8.8.8 or higher, or 8.9.1 or higher as urged by developers.
  • Organizations can consider blocking notepad-plus-plus.org or the gup.exe process from internet access.

Continue reading the original article