Critical Alert: Notepad++ Supply Chain Attack & The ShadowPad Malware

✨ The "Infrastructure-Level" Hijack

Today (February 03, 2026), reports have intensified regarding a massive security breach involving Notepad++, the world's most popular open-source code editor. Unlike typical hacks, this was not a bug in the software code but a sophisticated Supply Chain Attack targeting the update delivery mechanism itself.

🔹 What Actually Happened?

From June 2025 to December 2, 2025, state-sponsored actors hijacked the hosting content delivery server of notepad-plus-plus.org. By compromising the shared hosting credentials, they were able to:

• ✅ Intercept Traffic: View requests from users checking for updates.
• ✅ Selective Targeting: Servicing legitimate updates to 99% of users while delivering "poisoned" binaries to specific high-value targets.
• ✅ Persist: The attackers maintained access even after initial server maintenance in September, finally being locked out only in December.

💡 "This is the nightmare scenario. You didn't download a virus; you clicked 'Update' on a trusted tool, and the official server handed you malware."

🔹 The ShadowPad Connection

Security researchers and community reports (including the recent breakdown by SomeOrdinaryGamers) have linked the malware payload to ShadowPad.

ShadowPad is a modular backdoor notoriously associated with APT31 (Violet Typhoon), a threat actor group linked to Chinese state espionage. It allows attackers to gain full remote control, exfiltrate data, and install further plugins silently. What makes ShadowPad particularly dangerous is its modularity; the initial infection is often just a lightweight loader. Once confirmed inside a high-value network, the attackers push additional modules for keylogging, screen capture, or lateral movement.

🔹 Deep Dive: The DLL Hijacking Mechanism

The attack utilized a classic yet effective technique known as DLL Search Order Hijacking. The poisoned Notepad++ installer included a legitimate executable signed by the developer, but dropped a malicious DLL file (libcurl.dll) alongside it. When Notepad++ launched, it unwittingly loaded this malicious library instead of the system version.

This technique bypasses many basic antivirus checks because the process initiating the action (Notepad++.exe) is trusted and digitally signed. The malicious code runs within the memory space of the trusted application, granting it the same permissions and network access. For developers running Notepad++ with administrative privileges (often required for editing system files), this effectively gave the attackers root access to the machine.

🔹 Developer Hygiene: Improving Your Security Posture

This incident serves as a wake-up call for the development community. We can no longer blindly trust auto-updaters, even from open-source projects we love. To protect your development environment in 2026, consider these hardened practices:

• Validation: Always verify the SHA-256 checksum of downloaded installers against the official repository, not just the website listing.
• Isolation: Run your development tools in a sandboxed environment or a dedicated VM particularly when working on sensitive codebases.
• Least Privilege: Never run your code editor as Administrator unless absolutely necessary for a specific task.
• Network Monitoring: Use tools like Little Snitch or GlassWire to monitor outbound connections from your development tools. A code editor shouldn't be connecting to unknown IPs in Asia or Eastern Europe.

✨ How to Detect and Remove ShadowPad

ShadowPad is stealthy, but it leaves traces. If you suspect your machine is compromised, check for these Indicators of Compromise (IoCs):

• ✅ File System: Check %APPDATA%Notepad++plugins for a hidden folder named config containing libcurl.dll (the malicious payload).
• ✅ Registry Keys: Look for HKCUSoftwareMicrosoftWindowsCurrentVersionRun entries pointing to obscure executables in %AppData%.
• ✅ Network Traffic: Monitor for recurring DNS requests to dynamic DNS domains (e.g., *.duckdns.org) or unexpected TCP connections on port 443 to non-standard IPs.

Removal Steps:

1. Disconnect the machine from the network immediately.
2. Boot into Safe Mode.
3. Delete the entire Notepad++ installation directory.
4. Run a full scan with a reputable EDR solution (CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint).
5. Crucial: Rotate all credentials (SSH keys, API tokens, passwords) stored on that machine. ShadowPad creates a persistence backdoor, so simple cleanup isn't enough—assume credentials are burned.

🔹 Technical Mitigation: The Role of SBOMs

To prevent future supply chain attacks, the industry is accelerating the adoption of Software Bill of Materials (SBOM). An SBOM is a machine-readable inventory of all components, libraries, and modules that make up a piece of software. Had this structure been in place and verified against a trusted signature database, the injection of libcurl.dll would have triggered an immediate checksum mismatch.

Organizations using tools like CycloneDX or SPDX can now automatically scan their developer workstations for unauthorized binaries. If you are a CTO or Security Architect, mandating SBOM verification for all developer tools—yes, even text editors—is no longer optional; it is a critical defense layer.

🔹 Global Reaction and Fallout

The breach has sent shockwaves through the tech world. GitHub has revoked the signing keys associated with the comprised versions, and Microsoft's Defender team has pushed a signature update (Version 1.403.22) specifically targeting the ShadowPad loader dropped by the Notepad++ installer. The Notepad++ maintainer, Don Ho, has released version 8.6.3 with a hardened update mechanism that now requires dual-signature verification before applying patches.

✨ The Future of Open Source Security

This attack highlights a systemic fragility in the open-source ecosystem. Projects like Notepad++ are often maintained by small teams (or single individuals) who lack the resources for enterprise-grade infrastructure security.

🔹 The Rise of SBOMs

We are moving towards a world where a Software Bill of Materials (SBOM) will be mandatory for every deployment. Tools like Sigstore and frameworks like SLSA (Supply-chain Levels for Software Artifacts) are becoming the new standard. Developers need to start verifying the entire chain of custody for their tools, not just the final binary.

🔹 Are You Safe?

The attack was highly selective. If you work in critical infrastructure, finance, or telecommunications, you were the likely target. However, certainty is better than hope.

🔹 Immediate Actions Required

• ✅ Update Immediately: The developer (Don Ho) has released Version 8.9.1, which runs on untainted infrastructure and uses hardened signature verification.
• ✅ Verify Signatures: Ensure your installer is digitally signed by "Notepad++". If the UAC prompt shows "Unknown Publisher," DELETE IT.
• ✅ Scan Your System: If you updated during late 2025, run a full endpoint detection scan looking for ShadowPad indicators.

Sources:
- Notepad++ Official Incident Report
- The Hacker News Coverage