Chinese hackers are suspected of breaching the popular text editor Notepad++ in June 2025. The attackers used the software to target specific organizations in East Asia and elsewhere, delivering malicious updates that gave them access to sensitive information.
The breach was discovered when security researchers noticed unusual behavior from malicious software updates. The attackers followed a selective approach, targeting only certain users and organizations, which likely helped them avoid detection for months.
Notepad++ has since released an updated version (8.8.9) with improved security features, including verification of installer certificates and signatures. The company is also planning to enforce mandatory certificate signature verification in the future.
Security experts say that this incident highlights the threat of selective supply chain attacks, where attackers target high-value victims while leaving others untouched. To defend against such attacks, organizations must adopt a “Zero Trust” approach to software updates and verify not only the binary’s signature but also the integrity of the update channel itself.
The attack used a never-before-seen backdoor called “Chrysalis,” which allowed the attackers to gain Remote Code Execution (RCE) on developer workstations. Experts warn that organizations must be vigilant in defending against such attacks, using measures such as strict network egress filtering and out-of-band hash verification for sensitive tools.
The incident also shows how state-sponsored hackers are increasingly targeting software supply chains, exploiting vulnerabilities in the delivery layer to gain access to sensitive information. Security teams must adapt their approach to detect and prevent such attacks, shifting from relying on traditional build-pipeline controls to monitoring distribution-layer compromise and verifying vendor code-signing certificates.
Source: https://www.cpomagazine.com/cyber-security/chinese-hackers-compromised-notepad-software-updates-for-nearly-half-a-year-but-only-select-targets-breached