When Updates Become Weapons: The Notepad++ Supply-Chain Intrusion That Hid in Plain Sight Industry: Software, Cybersecurity

For months, a routine software update check became a delivery mechanism for covert intrusion.

Notepad++, the ubiquitous open-source text editor found on developer laptops and IT admin workstations worldwide, has been caught in a supply-chain compromise that security teams describe as selective, quiet, and built for long-term access. Investigators say attackers were able to manipulate the update path used by the application, steering a subset of users toward a malicious payload while leaving most of the install base untouched. That restraint is part of what made the campaign so difficult to spot.

A compromise built on trust, not a code flaw

The incident did not hinge on a dramatic vulnerability in Notepad++ itself. It exploited something more basic: the trust users and enterprises place in update infrastructure.

Investigators describe an intrusion that began in mid-2025 and remained operational into late 2025, with attackers maintaining varying degrees of access over time. The critical takeaway is uncomfortable. Even when software is open-source and widely scrutinised, the systems that distribute updates can be softer targets than the codebase. Attackers do not need to rewrite the product if they can stand in the path between the maintainer and the user.

That is how a seemingly harmless update check becomes a decision point with geopolitical consequences.

Selective delivery suggests intelligence priorities

The attack’s most telling feature was precision.

Rather than pushing a mass infection that would have triggered rapid public alarms, the campaign appears to have delivered malicious updates only to “targeted users” within the compromise window. This kind of profiling is consistent with espionage tradecraft, where operators value stealth and persistence over immediate monetisation. It also complicates incident response because organisations cannot assume that unaffected peers or clean test machines rule out exposure.

In practical terms, the same update mechanism could behave normally for most endpoints and still compromise the few that mattered.

A multi-stage chain that blends commodity tools with custom implants

Technical analysis of recovered artifacts shows an infection chain designed to look ordinary while doing uncommon things.

In the observed execution sequence, Notepad++ activity was followed by execution of its updater component, and then by the appearance of a suspicious process named update.exe downloaded from external infrastructure. The malicious update stage functioned as an installer that dropped additional files, created a hidden directory, and abused a legitimate executable for DLL side-loading. That approach has a reliable advantage: defenders often trust the signed binary that launches, even when the DLL it loads is hostile.

Once the loader stage decrypted and executed shellcode in memory, the campaign shifted into a more durable posture. Investigators dubbed the resulting backdoor “Chrysalis,” describing it as feature-rich and built for remote control, file operations, and interactive command execution. In parallel, forensic pivots also surfaced multiple loaders and signs of commodity frameworks being used as part of the wider toolkit, a blend that suggests a mature operator capable of moving between custom development and off-the-shelf capability as needed.

Why Notepad++ is a high-leverage foothold

Notepad++ is not a security product, which is exactly why it matters.

It is installed everywhere, from helpdesk machines and engineering workstations to jump hosts and production support environments. It touches configuration files, scripts, credentials stored in plaintext by legacy processes, and snippets of code that reveal internal naming conventions and infrastructure patterns. Even when the application runs without elevated privileges, the operational reality is that developer and administrator endpoints frequently sit close to sensitive systems. Compromising a trusted editor is not about the editor itself. It is about the environment it lives in and the habits it observes.

Supply-chain compromise turns everyday tooling into a privileged observer.

The ripple effects: patching is no longer just patching

This incident lands at a time when enterprises are automating updates more aggressively, often to reduce exposure to known vulnerabilities. That efficiency has a blind spot.

Automatic updating assumes the supplier pipeline is safe. When a distribution layer is compromised, the same automation becomes a force multiplier for the attacker, not the defender. Security teams increasingly have to validate not only what version is installed, but how it arrived, from where, and whether network paths or hosting dependencies could have been manipulated.

The broader market lesson is that software integrity is now inseparable from delivery integrity.

Indicators of compromise

File indicators (SHA-256)

update.exe: a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9

[NSIS.nsi]: 8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e

BluetoothService.exe: 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924

BluetoothService (encrypted shellcode container): 77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e

log.dll: 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad

u.bat: 9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600

conf.c: f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a

libtcc.dll: 4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906

admin: 831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd

loader1: 0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd

uffhxpSy (shellcode): 4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8

loader2: e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda

3yzr31vk (shellcode): 078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5

ConsoleApplication2.exe: b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3

system (shellcode): 7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd

s047t5g.exe: fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a

Network indicators

95.179.213.0

61.4.102.97

59.110.7.32

124.222.137.114

api[.]skycloudcenter[.]com

api[.]wiresguard[.]com

The uncomfortable, forward-looking implication is that software security can no longer be measured by source transparency alone. Attackers are increasingly treating distribution infrastructure as the real prize, because that is where trust is turned into execution.