Attackers have hijacked the update mechanism of Notepad++, one of the world’s most popular open-source text editors, delivering malware to targeted users over a period of six months.
In an advisory, developer Don Ho discussed how bad actors weaponized his two-decade-old project between June and December last year.
An update, said: “Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign.”
The attack employed infrastructure-level compromise that enabled bad actors to intercept and redirect update traffic destined for notepad-plus-plus.org.
“The exact technical mechanism remains under investigation, though the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests,” researchers wrote.
The breach raises questions about the security of open-source, and the vulnerability of critical development infrastructure. The actors behind the attack compromised Notepad++ hosting provider’s infrastructure so they could selectively poison updates for high-value targets. The majority of users were unaffected, which helped the actors evade detection.
Unlike most supply-chain attacks, which involve tampering with source code repositories, the Notepad++ event depended on redirecting network traffic after it left a user’s computer but before it reached the legitimate update server.
“I deeply apologize to all users affected by this hijacking. I recommend downloading v8.9.1 (which includes the relevant security enhancement) and running the installer to update your Notepad++ manually,” the advisory ended.
Selective Supply Chain Attacks
Jason Soroko, Senior Fellow at Sectigo, said this latest incident highlights the insidious nature of selective supply chain attacks, where the attacker’s restraint, which is to only target only high-value victims while leaving the majority of users untouched.
“This allowed them to maintain access for six months without triggering broad alarms. By compromising the hosting infrastructure to deliver poisoned updates, the attackers likely sought to gain Remote Code Execution (RCE) on developer workstations.”
Soroko added that these environments are high-yield targets for espionage, as they often contain hardcoded credentials (SSH keys, cloud API tokens), direct access to source code, and privileged routes into production networks, effectively turning the developers’ own tools into backdoors for lateral movement.
“To defend against such surgical compromises, organizations must adopt a “Zero Trust” approach to software updates, verifying not just the binary’s signature but the integrity of the update channel itself. The move to sign the update XML (XMLDSig) is a critical evolution; it ensures that the instruction to update comes from the maintainer, preventing attackers who control the server from tricking the client into downloading a malicious file even if they can’t forge the binary’s signature.”
He also advised security teams to enforce strict network egress filtering, which is about blocking text editors from making unapproved external connections. and require out-of-band hash verification for sensitive tools to confirm that the file received matches the developer’s official release.
Hunt the Behavior, Not the Brand
APT31 bypassed every build-pipeline defense the industry deployed after SolarWinds by compromising the hosting provider and selectively poisoning Notepad++ updates to East Asian telecom and financial targets for six months, added Collin Hogue-Spears, Senior Director of Solution Management at Black Duck.
“I’ve been tracking how state actors weaponize developer ecosystems for two years. North Korea industrialized npm. China just industrialized the delivery layer. APT31 never touched the Notepad++ source code, never compromised the build pipeline, never broke a signature. They lived inside the hosting provider for six months, filtered update requests by IP range, and hand-delivered trojanized installers to East Asian telecom and financial targets while millions of other users pulled clean copies. The software supply chain has shifted from a development pipeline to a liability pipeline, and this attack exploited the gap most organizations still don’t instrument: the path between a vendor-signed binary and your endpoint.”
Security teams need to stop treating ‘came from the right domain’ as provenance, Hogue-Spears explained. “Auto-updaters are remote code execution pipelines. Kill direct-to-internet updates for developer tools; force them through an internal repository that re-validates the vendor’s code-signing certificate and blocks anything not signed by the expected publisher. Notepad++ had to add exactly that signature/certificate check after update traffic was redirected to attacker infrastructure.”
He said then hunt the behavior, not the brand. “Distribution-layer compromise turns ‘update’ into ‘hands-on-keyboard’ fast, and you won’t catch it with build-pipeline controls.”
Neither New, Nor Novel
Morey Haber, Chief Security Advisor at BeyondTrust, said this attack vector is neither new nor required novel malware. “It was a deliberate supply-chain compromise based on trusted update infrastructure. To be clear, this is a standard component in almost all solutions today to update versions and apply patches hosted by the solution manufacturer. To that end, the threat actor did not breach crack the Notepad++ codebase but, rather, they targeted the infrastructure behind the scenes for updates and maintained access to updates for months after the initial breach. By manipulating the update mechanism and redirecting traffic to malicious servers, the threat actors bypassed conventional defenses like endpoint security controls and content filters.”
Based on the IR report, Haber says some clients did receive “compromised” updates. “However, the report does not disclose what those updates involved or how many clients were impacted. While the remediation appears to be in line with a breach of this nature from within the vendor, all clients are recommended to use the latest version in order to remediate any potential risk.”
He said this warrants a threat hunting exercise within every organization using older versions to explore if any additional malicious activity has occurred or lateral movement that may have taken place. This includes any exfiltration of information that may have been edited with older versions of the solution.
“Once the updater was hijacked, the threat actor became a part of the trusted execution path for updates. In lieu of delivering legitimate versions, “compromised updates” were dropped with the same privileges as legitimate software installations, bypassing local controls and operating as trusted applications. That means reconnaissance, credential harvesting, lateral movement, persistence, or even data exfiltration became feasible inside the target networks based on Notepad++ usage and transmitted out of the organization based on subsequent update requests.”
Haber said all software manufacturers must consider a review of the cybersecurity for update infrastructure. At a minimum:
- Enforce strict cryptographic verification of updates including signed manifests and checksums for binaries
- Adopt reproducible build and distribution processes using automation to verify updates match intent during production
- Vet hosting/CDN providers for security practices including periodic penetration testing of the services
- Software vendors should assume infrastructure can be breached and adopt zero-trust architectures for supply chain updates
- Regular threat hunting around trusted paths and incident response readiness to minimize any potential dwell time.
“A learn a quick and valuable lesion, supply chains are now high-stakes attack vectors and insecure infrastructure, regardless of its function, is another potential attack vector.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.