4 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
Chinese state-linked threat actors have compromised the installer and update mechanism associated with Notepad++ Project, injecting malicious code into Windows installer binaries distributed via official channels. The implanted backdoor enables arbitrary code execution and establishes outbound communication with attacker-controlled infrastructure, allowing remote command execution and potential full system compromise. This activity has been confirmed as actively exploited in the wild and represents a high-impact supply chain attack affecting developer and user environments.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Active Supply Chain Compromise of Notepad++ Installer and Update Mechanism
Exploit or POC: This activity was actively exploited in the wild.
Update:
The Notepad++ project has remediated the issue and released clean, verified installers.
Severity: Critical
Required upgrade path:
All users should upgrade to Notepad++ version 8.8.9 or later.
Official release site:
Description:
Chinese state-linked threat actors compromised the Notepad++ update and installer process, injecting a backdoor into Windows installer binaries distributed via official channels. The malicious code enabled arbitrary code execution and outbound communication to attacker-controlled infrastructure.
Mitigation Recommendation:
Immediately uninstall any potentially affected versions of Notepad++ and perform a clean installation of version 8.8.9 or later from the official project site.
