In late 2025 (disclosed publicly in early February 2026), the update channel for Notepad++ was abused in a way that should make every IT leader take note, that attackers didn’t need to exploit your endpoint directly—they simply got in the middle of a trusted software update flow. Reporting and the project’s own notes describe selective redirection of update traffic to attacker-controlled infrastructure, leading some targets to download compromised executables under the guise of a normal update.

Two details matter for defenders:

– This was a supply-chain style event, but not the “modify the source code” kind. It was closer to infrastructure / delivery path compromise (hosting, routing, updater manifest flow), which is increasingly common.
– The response emphasized hardening verification in the updater and encouraged users to upgrade and re-install from official sources.

How this rhymes with SolarWinds 2020 (and how it differs)

The SolarWinds Orion compromise (discovered mid-December 2020) remains the modern benchmark for “software updates as a weapon.” In SolarWinds, adversaries inserted malicious code into the vendor’s build process, so the update itself was legitimately built and distributed—just poisoned.

What’s similar:
Both incidents share the core pattern:

– Trusted distribution channel (automatic updates) becomes the delivery vehicle.
– Downstream victims inherit trust they did not explicitly grant.
– Selective targeting is possible even when the vendor’s user base is huge.

What’s different:
Think of these as two different choke points in the same pipeline:

– Notepad++: delivery-path compromise (redirection to malicious servers/manifests from the service provider, not Notepad++ itself).
– SolarWinds: build-system compromise (signed poisoned updates distributed broadly).

The executive takeaway: you can’t “EDR your way out” of a poisoned trust chain. You need controls that assume updates can be hostile.

High-level steps to protect against the next “trusted update” event

1) Treat software updates as a high-risk ingress path
– Inventory what auto-updates in your environment.
– Tier vendors by blast radius.

2) Enforce verification, not hope
– Prefer software with strong signing and tamper-resistant update mechanisms.
– Block update methods lacking integrity checks.

3) Reduce blast radius by design
– Run tooling with least privilege.
– Segment networks.
– Limit outbound connectivity for updater processes.

4) Add supply-chain detection to your monitoring
– Watch for abnormal updater behavior.
– Threat hunt around exposure windows.

5) Operationalize vendor risk—and test it
– Demand secure build practices and transparency.
– Practice vendor compromise tabletop scenarios.

6) Assume credentials are touched
– MFA everywhere, short token lifetimes, rapid rotation playbooks.

In closing –

Notepad++ is a reminder that supply-chain attacks aren’t only “SolarWinds-scale” mega-events. Sometimes it’s a small, trusted tool (such as a browser extension) that becomes the path of least resistance. SolarWinds taught us that attackers will compromise the factory; Notepad++ underscores they’ll also compromise the loading dock. Your defense program has to cover both.

by: Adam John