If you are one of the millions of users who rely on Notepad++ for coding or quick text editing on Windows, you need to stop and check your version immediately.
A massive security incident has just been uncovered, revealing that the update system for the popular code editor was hijacked for six months. While this sounds like a plot from a cyber-thriller, it is a real-world supply chain attack that left countless systems exposed to a sophisticated backdoor.
As someone who has used Notepad++ for years, I know how easy it is to click “Yes” on an update prompt without a second thought. But this breach changes how we need to look at those routine software updates.
Here is a breakdown of what happened, how the Notepad plus hack works, and exactly what you need to do to secure your PC.
The “Invisible” Update Hack: How It Happened
Unlike typical viruses that you might catch from a shady website, this attack was much more insidious. It didn’t involve a flaw in the Notepad app’s code itself. Instead, hackers compromised the infrastructure delivering the updates.
From June to December 2025, state-sponsored attackers (identified by researchers as the “Lotus Blossom” group) managed to infiltrate the servers used by Notepad++ to distribute updates.
How the Attack Worked:
- The Hijack: The attackers gained control of the update mechanism (specifically the
WinGUpupdater). - The Interception: When a user opened Notepad++ and checked for updates, the compromised server could silently redirect that request.
- The Switch: Instead of downloading the legitimate update from the official source, the server sent the user to a malicious link hosting a fake “update.exe”.
Because the software itself (Notepad++) is a trusted tool on millions of Windows machines, this “update” bypassed many standard security checks. The scary part? The developers didn’t regain full control of the infrastructure until December 2025.
Is Your System Infected? (The “Chrysalis” Backdoor)
The malware delivered in this attack has been dubbed “Chrysalis.” It is not your average adware or ransomware; it is a custom-built backdoor designed for long-term espionage.
Once installed, Chrysalis allows attackers to:
- Execute commands remotely on your computer.
- Steal files and sensitive data.
- Move laterally across a corporate network (jumping from one infected PC to others).
This type of malware is “feature-rich,” meaning it gives the hackers hands-on-keyboard access to the victim’s machine. If you updated Notepad++ during the second half of 2025, there is a non-zero chance your system communicated with these rogue servers.
Who Was Actually Targeted? (Separating Hype from Reality)
Headlines screaming about “millions of users” can be panic-inducing, but context is vital here.
In practical experience with these types of APT (Advanced Persistent Threat) attacks, the goal is rarely to infect everyone. The hackers were selective. While they could have infected millions, researchers found that the traffic redirection was highly targeted.
The primary targets appeared to be:
- Financial institutions.
- Telecommunications companies.
- Organizations with business interests in East Asia.
However, this does not mean the average user is 100% safe. Collateral damage happens, and if you work in a sensitive industry or use a corporate VPN, your machine might have been flagged as a person of interest.
Critical Steps to Secure Notepad++ on Windows Right Now
If you have Notepad++ installed, do not panic, but do not ignore this either. The developers have released a clean version that patches the vulnerability in the updater itself.
1. Check Your Version Immediately
Open Notepad++ and go to ? > About Notepad++.
- If you are running any version older than 8.9.1, you are at risk.
- The vulnerability in the updater (WinGUp) was patched in late 2025/early 2026 versions to enforce strict digital signature checks.
2. Do Not Use the Auto-Updater (Yet)
If you are on an old version, do not use the built-in “Check for Update” feature. If your updater is still compromised or vulnerable, it could theoretically still be tricked.
Instead, follow this manual process:
- Uninstall your current version of Notepad++.
- Go to the official Notepad++ website (notepad-plus-plus.org).
- Download the latest installer (v8.9.1 or higher) manually.
- Install the fresh version.
3. Verify the Digital Signature
In the real world, we rarely check digital signatures, but for this week, make an exception.
- Right-click the downloaded installer file.
- Select Properties > Digital Signatures.
- Ensure it says “Don Ho” (the developer) and that the signature is valid.
The Lesson for Windows Users
This Notepad plus hack serves as a stark reminder that even “safe,” boring tools can become weapons. Notepad replacements are essential for productivity, but they are also prime targets because they sit on developer and IT admin computers—accounts that often have high-level access permissions.
Moving forward, sticking to the latest version isn’t just about getting new features; it’s about closing doors that hackers have been quietly prying open for months. Update your software today, but do it the manual, safe way.
