Skip to content
WISSEN BERATUNG

Blog · February 3, 2026 · Tobias Wissen

The Notepad++ hack: what really happened in the attack on the update infrastructure

A supply-chain attack on Notepad++: how attackers manipulated updates for months, why only selected users were affected, and what small businesses should learn.

The Notepad++ hack: what really happened in the attack on the update infrastructure

In early February 2026, several security outlets reported a serious incident at Notepad++, the widely used open-source editor. Not a simple bug, but a targeted attack on the update infrastructure. I have used the tool for years myself, so here is a sober take on what happened and what to take away.

What happened

Between June and December 2025, attackers compromised the server infrastructure behind Notepad++ updates. They did not exploit a flaw in the editor itself, but the hosting environment and the way the older update function (“WinGUp”) checked signatures and certificates. This let them redirect the update requests of selected users: instead of the real file, a manipulated one came from an attacker server, carrying a previously unknown backdoor called “Chrysalis”.

Who was behind it and who it hit

Security analysts attribute the attack to a state-backed group linked to China (“Lotus Blossom”), known for targeted cyber-espionage. Importantly, the attack was not broadly spread. Only selected targets were manipulated. That points to a focused espionage campaign, not a mass attack.

Why it was possible

According to the development team, the problem was at the hosting-infrastructure level, not in the source code. The old update routine did not enforce all the necessary signature and certificate checks. If the network connection was manipulated, the update requests could be redirected. So the software was safe, the distribution path was not. A classic supply-chain attack.

What was fixed

The vulnerability has been closed since December 2025:

  • Stricter signature and certificate checks in update verification.
  • A change of server host, with all credentials renewed.

If you use Notepad++: make sure you are on at least version 8.8.9, and only download updates from the official site.

What small businesses should learn

  1. Supply-chain attacks are real, not abstract. They hit widely used, well-regarded tools too.
  2. The distribution path is part of security. It is not enough for software to be cleanly written; the path to the machine must be protected as well.
  3. Updates only from the original source, and a watchful eye on the software versions in use. A simple inventory of who has installed what already gets you halfway.

If you want to know which software in your business is running on outdated, vulnerable versions: I will do a short, honest stocktake with you.

Tobias Wissen

Owner, WISSEN BERATUNG

→ Book a free intro call

Sources: The Hacker News, CyberScoop and DarkReading, all early February 2026.

#IT security #Supply chain #Notepad++ #Small Business

← Back to all posts