Notepad++ supply chain compromise: Trojanized updates used in suspected nation-state attack

On February 2, 2026, Notepad++ disclosed a supply-chain compromise in which adversaries hijacked the WinGUP updater to deliver trojanized installers (observed in versions 8.8.2–8.8.9); the malicious AutoUpdater.exe performed host reconnaissance, wrote data to a.txt and used a rogue curl.exe to exfiltrate that data to temp.sh. Reporting links the operation to Chinese state-sponsored APTs, notes a six-month dwell time, and recommends mitigations such as application allowlisting, ringfencing, manual updates from official sources, and updating to Notepad++ 8.9.1.