Notepad++ Plugins: Plug and Payload

This report analyzes a Notepad++ supply-chain/installer compromise and demonstrates how attackers can weaponize Notepad++ plugins—including creating malicious DLL plugins, reflectively loading DLLs via the PythonScript plugin (upgraded to Python 3), and installing offline Python packages—to achieve arbitrary code execution. It highlights attacker tradeoffs (dropping unsigned DLLs vs. abusing trusted plugins), provides proof-of-concept techniques and tooling, and recommends mitigations such as application control restricting notepad++.exe to Program Files, monitoring network connections from Notepad++, and removing Notepad++ where feasible.