February 10, 2026 Threats 6 min read

Notepad++ Supply Chain Attack: What Canadian Businesses Should Know

By Cybersecurity Canada Editorial Team | Published February 10, 2026

On February 2, 2026, the maintainers of Notepad++ — one of the most popular open-source text editors in the world — disclosed that their software update infrastructure had been compromised by a suspected Chinese state-sponsored hacking group. The attackers hijacked the update mechanism for approximately six months, selectively delivering malware to targeted organizations through what appeared to be a routine software update.

This is not a theoretical risk. It happened, it went undetected for months, and it exploited the exact kind of trust that businesses place in their software every day.

What Happened

The attack did not exploit a flaw in the Notepad++ application itself. Instead, attackers compromised the shared hosting server where notepad-plus-plus.org was hosted, gaining the ability to intercept and redirect update traffic. When certain users checked for updates, they were silently redirected to attacker-controlled servers that served trojanized installers.

The timeline is significant:

• June 2025: Attackers compromise the hosting infrastructure
• July–October 2025: Malicious updates are selectively served to targeted users, with the attack chain changing roughly once per month
• September 2025: The hosting provider patches the server, severing direct access — but attackers retain stolen credentials
• December 2025: Attacker access is fully terminated; Notepad++ v8.8.9 adds installer signature verification
• February 2, 2026: The incident is publicly disclosed
• February 5, 2026: Kaspersky publishes detailed analysis revealing three distinct infection chains and new indicators of compromise (IoCs)

The core weakness was in WinGUp, the Notepad++ updater. Prior to version 8.8.9, it did not verify the certificate or signature of downloaded installers — a vulnerability now tracked as CVE-2025-15556.

Who Was Behind It

Multiple independent security researchers have attributed the attack to a Chinese state-sponsored group. Rapid7 identified the threat actor as Lotus Blossom (also known as Billbug), an advanced persistent threat (APT) group active since 2009 that primarily targets organizations in Southeast Asia for espionage purposes. Other researchers, including Kevin Beaumont, have linked the campaign to Violet Typhoon (APT31/Zirconium).

Attribution in these cases is always assessed with moderate confidence — but the consensus is clear: this was a nation-state operation, not a criminal one.

How Sophisticated Was the Attack

Very. Kaspersky's analysis revealed three entirely different infection chains used between July and October 2025, each with different tools, techniques, and infrastructure:

1. Chain 1 (July–August): Used a repurposed copy of ProShow software to deliver a Metasploit loader, which then deployed a Cobalt Strike Beacon
2. Chain 2 (September): Dropped a Lua interpreter that executed shellcode from a configuration file, again deploying Cobalt Strike — but with different domains and communication methods
3. Chain 3 (October): Used DLL sideloading through a renamed Bitdefender tool to deliver Chrysalis, a previously undocumented custom backdoor discovered by Rapid7

Chrysalis is particularly concerning. It uses custom encryption, reflective loading, and API hashing to avoid detection, and supports over a dozen commands including reverse shells, file transfers, and complete self-removal.

The attackers rotated their command-and-control infrastructure constantly. Organizations that scanned only for the October-era indicators of compromise would have completely missed infections from July through September.

Who Was Targeted

The good news: this was a highly targeted campaign. Kaspersky's telemetry identified roughly a dozen affected machines, belonging to:

• Individuals in Vietnam, El Salvador, and Australia
• A government organization in the Philippines
• A financial organization in El Salvador
• An IT service provider in Vietnam

Most Notepad++ users were never served a malicious update. But this selectivity is part of what made the attack so difficult to detect — and it does not mean Canadian organizations can ignore it.

Why This Matters for Canadian Businesses

Even if your organization was not directly targeted, this incident carries important lessons:

Software Updates Can Be Weaponized

Every business relies on automatic software updates. This attack demonstrates that the update channel itself — typically one of the most trusted pathways into your network — can become the attack vector. The SolarWinds compromise in 2020 taught this lesson at scale. Notepad++ is a reminder that it applies to software of every size.

Open-Source Tools Need Scrutiny Too

Notepad++ is used by millions of developers, IT administrators, and business users. Many organizations do not track open-source tools the same way they track enterprise software — meaning they may not have visibility into which versions are installed, or which machines are affected.

Your Software Inventory Is a Security Control

If you cannot answer the question "Which machines in our organization have Notepad++ installed, and what version are they running?" — that is a gap. The Canadian Centre for Cyber Security's Baseline Controls address software inventory as part of Secure Configuration (BC.4) — one of the 13 foundational control areas — specifically because you cannot protect what you cannot see.

What You Should Do

1. Check Your Notepad++ Versions

If Notepad++ is used anywhere in your organization, confirm that all installations have been updated to at least version 8.9.1, which includes the security enhancements to the update mechanism. You can download the latest version directly from notepad-plus-plus.org.

2. Scan for Indicators of Compromise

Both Kaspersky and Rapid7 have published detailed IoCs covering all three infection chains. If your organization was running Notepad++ between July and December 2025, it is worth checking your logs against these indicators — particularly if you have users who handle sensitive data.

3. Review Your Software Inventory

This is a good prompt to audit which tools are installed across your organization — not just enterprise-licensed software, but free and open-source utilities. You cannot patch or monitor what you do not know about.

4. Evaluate Your Supply Chain Risk

Consider which software vendors and update channels you trust implicitly. Where possible, ensure your organization has controls to verify the integrity of software updates — or at minimum, that your managed service provider is doing this on your behalf.

The Bigger Picture: Supply Chain Attacks Are Accelerating

This incident fits a clear pattern. Supply chain attacks — where attackers compromise a trusted vendor or tool to reach downstream targets — have become one of the most effective techniques in the nation-state playbook:

• SolarWinds (2020): Trojanized updates delivered to 18,000 organizations
• Kaseya (2021): Managed service provider platform exploited to deploy ransomware
• 3CX (2023): Desktop application compromised to deliver info-stealing malware
• Notepad++ (2025): Update infrastructure hijacked for targeted espionage

The common thread is trust. Businesses trust their software vendors. Attackers exploit that trust.

For Canadian businesses, the practical takeaway is this: patch management and software inventory are not optional. They are the foundation of a security posture that can withstand these kinds of threats.

If you are not sure where your organization stands, our free assessment evaluates your business across all 13 of the Canadian Centre for Cyber Security's Baseline Control areas — including software inventory, patch management, and incident response — and gives you a clear picture of what needs attention.

The next supply chain attack will not announce itself. Make sure your business is ready.