Notepad++ supply chain attack breakdown

The WinGUp updater compromise is a textbook example of why update mechanisms are such high-value targets. Attackers get code execution on machines that specifically trust the update channel.

What's concerning is the 6-month window. Supply chain attacks are difficult to detect because the malicious code runs with full user permissions from a "trusted" source. Most endpoint protection isn't designed to flag software from a legitimate publisher's update infrastructure.

For organizations, this argues for staged rollouts and network monitoring for unexpected outbound connections from common applications. For individuals, package managers with cryptographic verification at least add another barrier - though obviously not bulletproof either.

I am running a lot of tools inside sandbox now for exactly this reason. The damage is confined to the directory I'm running that tool in.

There is no reason for a tool to implicitly access my mounted cloud drive directory and browser cookies data.

Other source: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-...

So if one were theoretically infected right now, would a Malwarebytes scan indicate as such?

I'm out of the loop: How did they bypass Notepad++'s digital signatures? I just downloaded it to double-check, and the installer is signed with a valid code-signing certificate.

Is there a "detect infection and clean it up" app from a reputable source yet (beyond the "version 8.8.8 is bad" designator)?

It now seems to be best practice to simultaneously keep things updated (to avoid newly discovered vulnerabilities), but also not update them too much (to avoid supply chain attacks). Honestly not sure how I'm meant to action those at the same time.

> cmd /c "whoami&&tasklist&&systeminfo&&netstat -ano" > a.txt

Naive question, but isn't this relatively safe information to expose for this level of attack? I guess the idea is to find systems vulnerable to 0-day exploits and similar based on this info? Still, that seems like a lot of effort just to get this data.

> Notably, the first scan of this URL on the VirusTotal platform occurred in late September, by a user from Taiwan.

Could this be the attacker? The scan happened before the hack was first exposed on the forum.

I guess package managers win in the end. I got two emails from my IT department in the last year telling me to immediately update it.

I noticed I had version 8.9 on Dec 28, 2025 and it seems clean according to

https://arstechnica.com/security/2026/02/notepad-updater-was...

I recommend removing notepad++ and installing via winget which installs the EXE directly without the winGUP updater service.

Here's an AI summary explaining who is affected.

Affected Versions: All versions of Notepad++ released prior to version 8.8.9 are considered potentially affected if an update was initiated during the compromise window.

Compromise Window: Between June 2025 and December 2, 2025.

Specific Risk: Users running older versions that utilized the WinGUp update tool were vulnerable to being redirected to malicious servers. These servers delivered trojanized installers containing a custom backdoor dubbed Chrysalis.

The article starts out by saying that Notepad++ "is a text editor popular among developers". Really?