If you use third-party software on your computers, and most businesses do, this week’s Notepad++ incident should make you uncomfortable. Not surprised. Uncomfortable.
Notepad++, one of the most widely used text editors in the world, quietly delivered malware instead of updates for six months. From June through December 2025, users who clicked “Update” were sometimes installing spyware instead of a patch.
No pop-ups.
No warnings.
No antivirus screaming.
Just blind trust… rewarded with compromise.
According to a detailed breakdown from Ethical Hacking researchers, the attackers didn’t even hack Notepad++ itself. They compromised the hosting provider, intercepted update traffic, and swapped legitimate installers with malicious ones. Millions of users. About 80,000 downloads per day. All running on cheap shared hosting.
That alone should make every IT decision-maker pause.
“Notepad++, a tool downloaded 80,000 times per day, was running on a cheap shared hosting plan. Not a dedicated server. Not a VPS with proper isolation.”
Source: Ethical Hacking analysis
This Is What a Supply Chain Attack Looks Like Now
This wasn’t smash-and-grab malware. This was hands-on-keyboard espionage.
Researchers found that once installed, the malware:
- Mapped network connections
- Enumerated users and privileges
- Collected system and domain info
- Uploaded reconnaissance data to external servers
In other words, this wasn’t targeting gamers or hobbyists. It hit telecom and financial organizations first. Businesses.
And here’s the uncomfortable truth:
The updater executed the malware because it was designed to trust updates without verification.
No certificate validation.
No signature checking.
Just “download and run.”
“But That Would Never Happen With Antivirus Software”… Right?
Wrong.
eScan antivirus did the exact same thing.
Earlier this year, attackers compromised eScan’s update servers and pushed malware through their legitimate update infrastructure.
“Malicious updates were distributed through eScan’s legitimate update infrastructure, resulting in the deployment of multi-stage malware to enterprise and consumer endpoints globally.”
Source: The Hacker News
Even better?
This wasn’t their first time.
Two years ago, eScan was compromised again. Updates were hijacked because downloads weren’t signed or properly secured.
“The issue, which went unnoticed for at least five years, has been rectified as of July 31, 2023.”
Source: The Hacker News
Same vendor.
Same mistake.
Same result.
Why This Wrecks Small Businesses First
Large enterprises have layered controls. Change management. Staged updates. Endpoint policies. Monitoring.
Small businesses usually have:
- Consumer or prosumer software
- Auto-updates enabled
- Employees clicking “Update Now” when prompted
- No visibility into what just changed
- No rollback plan
- No incident response
If a developer tool updates itself and installs spyware at SYSTEM level, nobody notices until something breaks… or data starts leaving the building.
And when that happens, the question is never:
“How did this happen?”
It’s always:
“Why didn’t anyone stop it?”
This Is Exactly Why Managed IT Exists
Managed IT isn’t about babysitting computers. It’s about controlling blast radius.
In a managed environment:
- Updates are approved, staged, and tested
- Consumer software is restricted or removed
- Auto-updaters are disabled or controlled
- Endpoints are monitored for abnormal behavior
- Supply chain risks are part of the threat model
When updates are unmanaged, every workstation becomes a trust exercise. And attackers love trust.
Supply chain attacks are now one of the fastest-growing threat vectors. The OWASP Top 10 ranks software supply chain failures as one of the biggest security risks today. The logic is simple:
Why attack 1,000 businesses individually
when you can compromise one update server and reach them all?
The Takeaway
Notepad++ fixed the issue. They moved hosting. They added certificate verification. Forced updates through GitHub. The immediate threat is gone.
That’s not the point.
The point is this:
If updates are installing without oversight, your business is one bad click away from compromise.
And the smaller you are, the harder you get hit.
If you don’t have someone managing what runs on your systems, when it updates, and how it updates… you’re outsourcing trust to whoever controls the next patch server.
That’s not security.
That’s hope.
And hope is not a strategy.
Hire somebody to manage your systems now, before you’re hiring someone to fix them later. Reputation, PII exposure, and lost revenue can’t be fixed.
