A serious cybersecurity incident has come to light involving Notepad++, one of the world’s most popular free text editors used by developers, IT professionals, and security researchers. The official Notepad++ update mechanism was secretly hijacked by state-sponsored threat actors, allowing malware to be delivered to a small number of targeted users.
The disclosure was made by Don Ho, the lead developer and maintainer of Notepad++, who confirmed that attackers managed to redirect update traffic meant for the official website to malicious servers. Importantly, this breach did not occur due to a bug or vulnerability in the Notepad++ software itself.
Instead, the attack happened at a much deeper level—within the hosting provider’s infrastructure.
According to Don Ho, attackers gained access to the infrastructure used by the hosting provider that served notepad-plus-plus.org. This allowed them to silently intercept and redirect update requests from users’ systems.
“The attack involved an infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic,” Ho explained.
Because the compromise happened at the hosting level, traditional application-level security checks inside Notepad++ were unable to detect the manipulation. As a result, the official WinGUp updater—used by Notepad++ to download updates—was tricked into fetching poisoned executables from attacker-controlled servers.
One of the most concerning aspects of this incident is that it was highly targeted. Security experts believe that only users from specific networks or regions were redirected to the malicious servers. This helped attackers stay under the radar for months without triggering widespread alarms.
The malicious activity is believed to have started as early as June 2025, but it went unnoticed until much later. This long dwell time strongly suggests the involvement of advanced, state-sponsored attackers rather than common cybercriminals.
The problem was made worse by how the Notepad++ updater verified downloaded files. While the updater did perform integrity checks, it relied on mechanisms that could be bypassed if an attacker was able to intercept network traffic between the client and the update server.
In simple terms, if attackers could stand “in the middle” of the connection, they could replace the legitimate update file with a malicious one—while still making it appear valid to the updater.
This technique is often associated with man-in-the-middle (MITM) attacks, especially when combined with infrastructure compromise.
Independent security researcher Kevin Beaumont revealed that the attack was likely carried out by China-linked threat actors. According to his findings, the attackers used the hijacked update system to infect selected systems with malware, which could then be used for:
Network access
Persistent espionage
Credential theft
Further lateral movement inside organizations
This aligns with previous campaigns attributed to state-sponsored groups, where software supply chain attacks are used to gain trusted access to high-value targets.
The full scope of the incident is still under investigation, but Notepad++ has shared important details about the timeline:
June 2025: Malicious redirection activity likely begins
September 2, 2025: Hosting provider confirms the shared server was compromised until this date
December 2, 2025: Attackers still retained credentials to internal services, allowing continued redirection
Post-disclosure: Notepad++ migrates its website to a new hosting provider
Even after losing direct server access, attackers were able to maintain control due to stolen internal credentials, highlighting the severity of the breach.
Following the discovery, the Notepad++ team took immediate action to limit further risk:
Migrated the official website to a new hosting provider
Investigated the updater redirection issue
Released Notepad++ version 8.8.9, which addressed abnormal redirection behavior
Publicly disclosed the incident to maintain transparency
Don Ho emphasized that the Notepad++ source code itself was never compromised, and the attack did not involve inserting malicious code into the official repository.
This attack is another reminder that software supply chain security is now a top target for advanced threat actors. Even trusted, open-source tools like Notepad++ can be abused if attackers compromise infrastructure, DNS, or hosting environments.
For users and organizations, this incident highlights the importance of:
Monitoring outbound traffic
Using endpoint protection capable of detecting suspicious binaries
Validating software updates through multiple security layers
Treating update mechanisms as high-risk attack surfaces
The hijacking of the Notepad++ update mechanism is a wake-up call for both developers and users. While the software itself remained secure, attackers proved that compromising the delivery pipeline can be just as effective.
As state-sponsored cyber threats continue to evolve, defending against supply chain attacks will require stronger verification methods, hardened infrastructure, and continuous monitoring.
For now, users are advised to update Notepad++ to the latest version, download updates only from official sources, and remain cautious—even with trusted tools.
Interesting Article : SmarterMail Servers Exposed to Remote Code Execution: CVE-2026-24423