The Notepad++ attack and new supply-chain risks

How a trusted update channel became a threat vector, and what to do about it

Takeaways

• The compromise targeted the update delivery mechanism, not the Notepad++ application code.
• The campaign operated undetected for several months, impacting a significant number of users.
• Notepad++ has now implemented a stronger update verification process, checking both update metadata and the installer itself.
• Every part of a software deployment pipeline is a potential target and should be monitored accordingly.
• Restricting allowed applications, using endpoint protection and controlling update channels can reduce risk.
• Advanced detection and response tools can help identify and contain abnormal outbound connections and unauthorized processes quickly.

In February, the maintainers of Notepad++ disclosed a security incident: Attackers had compromised the software’s update delivery infrastructure, redirecting some users to a malicious installer. This breach did not involve exploiting a vulnerability in Notepad++ itself or tricking users with suspicious files. Instead, the attack focused on the path used to distribute legitimate updates, turning a trusted process into a threat.

How the attack worked

The attackers did not tamper with Notepad++ source code. Instead, they compromised the infrastructure that directs the application where to retrieve updates. When users selected “Check for updates,” Notepad++ contacted its update service, which then provided a download location for the installer.

During the breach, which lasted for several months in 2025, attackers could hijack this communication and redirect users to a malicious file. This installer appeared legitimate but contained a trojan. The download step itself was unchanged, but the file source was swapped for an attacker-controlled server.

Impact on users

Certain users who attempted to update during the attack window received a trojanized version of Notepad++. The malicious installer was linked to an espionage operation rather than widespread malware or ransomware. The goal was long-term access, data theft and lateral movement within affected environments, not immediate financial gain or visible disruption.

The attack was selective, targeting only specific users. However, for those affected — particularly in business environments — this posed a significant risk, as developer workstations often have access to sensitive resources like credentials, source code and administrative tools.

Supply-chain attack characteristics

This incident is a clear example of a supply-chain compromise, a mode of cyberattack that we’re seeing more of. Rather than attacking end users directly, the threat actors targeted the upstream distribution channel.

Users and IT teams typically trust update mechanisms, making them an efficient target for attackers. Because the malicious installer was delivered through a standard update process, it was less likely to be detected by conventional security controls.

Update systems, code signing, build pipelines, and cloud infrastructure are increasingly attractive vectors for cybercriminals, as compromising a single trusted point can yield access to many downstream targets. These attacks are efficient and often difficult to detect, especially when the delivered software appears legitimate.

Response and mitigation

After discovering the attack, Notepad++ maintainers strengthened their update process by introducing a dual-verification model. Both the metadata describing the update and the downloaded installer are now checked before installation proceeds. This reduces the risk of future redirect-based attacks.

To mitigate exposure to similar supply-chain risks, organizations should treat update delivery infrastructure as critical and monitor it closely. Additional steps include:

• Use managed update channels. In organizations, route updates through a software management tool rather than letting endpoints self-update from the internet.
• Verify signatures and provenance. Require code-signed installers where possible, and don’t ignore signature warnings. For high-risk endpoints, consider allowing installs only from approved sources.
• Limit who can install software. Standard user accounts shouldn’t be able to install arbitrary binaries. Least-privilege policies can help limit damage when an updater goes sideways.
• Monitor for “update-shaped” suspicious behavior. New persistence mechanisms, unexpected child processes spawned by an updater, or odd outbound connections right after an install should be investigation triggers.
• Maintain an inventory of what’s installed. You can’t assess exposure if you don’t know where a tool is deployed, especially common utilities that slip in outside formal procurement.
• Have a rollback plan. Make sure you can quickly uninstall or revert versions at scale when an update turns out to be the problem.
• Speed incident detection and response. Use advanced detection and response tools such as Barracuda Managed XDR to spot suspicious network activity and to respond effectively in real time.

The Notepad++ incident demonstrates that even trusted update channels can be compromised. Supply-chain attacks are on the rise, and effective defense requires monitoring all parts of the deployment pipeline, not just application code. Strengthening verification processes and using modern security tools can help reduce the risk and impact of similar attacks in the future.