Menu
Mais Encore

Security musings

🚹 Notepad++: When Your Favorite Text Editor Becomes a Supply Chain Attack Vector

Catégories

🔍 Licence d'Utilisation 🔍

Sauf mention contraire, le contenu de ce blog est sous licence CC BY-NC-ND 4.0.

© 2025 à 2042 Sébastien Gioria. Tous droits réservés.

Between June and December 2025, Notepad++ fell victim to a sophisticated supply chain attack. Attackers compromised the update system to intercept and redirect traffic. A textbook case of what OWASP now calls “A03: Software Supply Chain Failures” in its Top 10 2025. Let me break down an incident that could have been (or maybe was) catastrophic.

Context: Notepad++, A Prime Target

Notepad++ is an ultra-popular open-source text editor for Windows, used by millions of developers and system administrators worldwide. It’s precisely this popularity that makes it a prime target for attackers aiming at the supply chain.

💡 Key Figures:

  • 200+ million downloads since its creation
  • Used daily by millions of developers
  • Present on critical machines (servers, DevOps workstations, admin stations)
  • Automatic update mechanism (the ideal attack vector)

Compromising Notepad++ means potentially compromising thousands of organizations worldwide. A scenario worthy of SolarWinds, but on a smaller scale.

Incident Timeline

June - September 2025: The Silent Phase

The attackers managed to compromise the shared hosting infrastructure of notepad-plus-plus.org. During this period, they had the ability to intercept and redirect update traffic.

⏱ Detailed Timeline:

  • June 2025: Initial compromise of hosting infrastructure
  • June - September 2025: Active control of update distribution system
  • September 2, 2025: Attackers lose direct access following system maintenance
  • September - December 2025: Attempts to maintain access through other means
  • December 2025: Initial security disclosure regarding version v8.8.9
  • Late December 2025: Collaborative investigation triggered
  • January 2026: Complete migration and release of secured versions

What Was Compromised

The attack specifically targeted the update distribution system. The attackers could:

  1. Intercept user update requests
  2. Redirect to malicious servers
  3. Potentially distribute modified versions of Notepad++

How the Incident Was Discovered

The discovery did NOT come from proactive monitoring (unfortunately), but from an external security disclosure concerning anomalies in version v8.8.9.

This triggered a collaborative investigation involving:

  • The Notepad++ development team
  • External security experts
  • The hosting provider

⚠ Lesson Learned:

It was a weak signal that enabled detection. If this disclosure hadn’t occurred, the attack could have continued indefinitely. This is exactly what OWASP explains in the Top 10 2025 article: the median time to detect a supply chain attack is 83 days according to Veracode.

In Notepad++’s case, I’m talking about 6 months! đŸ˜±

Notepad++ Team’s Response

Facing this crisis, the team acted quickly and exemplarily:

Infrastructure Migration

Immediate migration to a new hosting provider with reinforced security practices:

  • Environment isolation
  • Strict access controls
  • Improved logging and monitoring

WinGup Improvements

WinGup is Notepad++’s update tool. It was completely redesigned to:

  • ✅ Mandatory SSL/TLS certificate verification
  • ✅ Package digital signature validation
  • ✅ XML signature (XMLDSig) implementation
  • ✅ Rejection of any unsigned update

Credential Rotation

  • All infrastructure access credentials were renewed
  • Mandatory multi-factor authentication (MFA) implementation
  • Revocation of old signing keys

Secured Versions

Release of patched versions:

  • v8.9.1: Includes WinGup security fixes
  • v8.9.2 (upcoming): Forced activation of signature verification

This incident is a perfect textbook case of what OWASP describes in the A03: Software Supply Chain Failures category of the Top 10 2025.

Why Notepad++ Perfectly Illustrates A03?

OWASP A03 Aspect Application to Notepad++ Impact
🔍 Code provenance Users couldn’t verify where the update really came from Silent redirection possible
đŸ›Ąïž Artifact integrity No signature verification before v8.9.1 Any version could be accepted
🔐 Pipeline security Compromised hosting infrastructure Complete control over distribution
🚹 Late detection 6 months before discovery Gigantic attack window

What Was Missing (Before the Incident)

Applying the SLSA framework I discuss in the OWASP Top 10 2025 article, Notepad++ was roughly at SLSA 0-1:

SLSA Level Status Before Status After v8.9.1
SLSA 1 ⚠ Limited documentation ✅ Documented process
SLSA 2 ❌ No signatures ✅ GPG + XMLDSig signatures
SLSA 3 ❌ Non-isolated builds 🔄 Implementation in progress
SLSA 4 ❌ No 2-person review ❌ Not applicable (open-source)

How to Protect Yourself as a User?

If you use Notepad++ (or any software with automatic updates), here’s what I recommend:

1. Update IMMEDIATELY to v8.9.1+

⚠ REQUIRED ACTION:

  1. Download v8.9.1 from https://notepad-plus-plus.org/
  2. Run the installer MANUALLY
  3. Verify the signature is valid
  4. Wait for v8.9.2 for forced signature activation

🔐 Signature Verification (Windows):

  1. Right-click on npp.8.9.1.Installer.x64.exe
  2. Properties → “Digital Signatures” tab
  3. Verify the signer is “Don HO” or “Notepad++”
  4. Status must be “This digital signature is OK”

If absent or invalid → DO NOT INSTALL ❌

2. Disable Automatic Updates (Temporarily)

While waiting for v8.9.2 which forces verification:

  • Settings → Preferences → Update
  • Uncheck “Enable auto-check”
  • Check manually once per month

3. Adopt a “Zero Trust” Approach

For ALL your software:

Practice Description Difficulty
✅ Verify signatures Always validate before installation Easy
✅ Download from official sources Never from third-party mirrors Easy
✅ Monitor anomalies Unusual size, weird behavior Medium
✅ Use an SBOM Inventory all your installed software Difficult
✅ Monitor updates Tools like Dependabot Medium

How to Protect Yourself as an Organization?

If you manage a fleet of machines with Notepad++ installed:

1. Inventory and Scan

Use your fleet management tool to:

  • Identify all Notepad++ installations
  • Check installed versions
  • Scan machines to detect any suspicious activity related to Notepad++

2. Controlled Deployment of v8.9.1+

  • Test first in staging environment
  • Deploy via your fleet management tool (SCCM, Intune, etc.)
  • Block old versions via GPO

3. Implement Supply Chain Controls

Apply the recommendations from the OWASP Top 10 2025 article:

A. Generate an SBOM of Your Infrastructure

Use tools like:

B. Monitor CVEs Continuously

Integrate into your SOC/SIEM:

  • Alerts on new CVEs affecting your SBOM via OpenCVE for example
  • Monitoring of Notepad++ security publications

C. Implement SLSA Level 2 Minimum

For YOUR own applications:

  • Sign all your artifacts
  • Hermetic CI/CD pipeline
  • Immutable build logs

Lessons Learned and Recommendations

For Software Developers

✅ Do’s:

  1. Cryptographically sign ALL your artifacts (executables, updates, packages)
  2. Implement client-side signature verification (don’t trust the network)
  3. Host on secure infrastructure (isolation, monitoring, MFA)
  4. Document your build chain (provenance, reproducibility)
  5. Have a supply chain incident plan (who to call? how to communicate?)

❌ Don’ts:

  1. ❌ Rely solely on HTTPS (can be MitM if infrastructure compromised)
  2. ❌ Have a single point of control (SPOF = Single Point Of Failure)
  3. ❌ Ignore external security reports
  4. ❌ Underestimate the impact of a supply chain compromise

Conclusion: Supply Chain, A Risk That Can No Longer Be Ignored

The Notepad++ incident reminds us of an uncomfortable truth: even the most popular and “trusted” software can be compromised.

💡 The 3 Truths of Modern Supply Chain:

  1. You’re only as secure as your weakest dependency Notepad++ was vulnerable despite clean source code, because its distribution infrastructure was compromised.

  2. Late detection is the norm, not the exception 6 months without detection for Notepad++, 83 days on average according to Veracode. Without a weak signal, it could have lasted indefinitely.

  3. Cryptographic signing is no longer optional It’s the BARE MINIMUM in 2026. Any unsigned artifact should be considered suspicious.

What Changes in 2026

With the OWASP Top 10 2025 placing Supply Chain at position #3, regulatory and community pressure will intensify:

  • đŸ‡ȘđŸ‡ș Cyber Resilience Act (EU): Mandatory SBOM, defined correction deadlines
  • đŸ‡ȘđŸ‡ș NIS2 Directive: Due diligence on suppliers, penalties up to €10M
  • đŸ‡ș🇾 Executive Order 14028: Strict requirements for US gov suppliers

It’s no longer a question of “if” you’ll be audited on your supply chain, but “when”.

“In the modern world, your application’s security depends as much on the quality of YOUR dependencies, YOUR build and runtime environment as on YOUR code.” – PandaHack (2021)

And as Notepad++ proves, even text editors aren’t spared. đŸ›Ąïž

Were you impacted by the Notepad++ incident? Questions about securing your supply chain? Feel free to contact me

Resources and References

Official Documentation

Protection Tools

Reference Articles

LinkedIn Reddit