Suspected Chinese state-sponsored attackers hijacked the Notepad++ update mechanism by compromising the software project’s shared hosting server and intercepting and redirecting update traffic destined for notepad-plus-plus.org, the software’s maintainer Don Ho confirmed on Monday.
The attack timeline
In early December 2025, security researcher Kevin Beaumont said that he knew of three organizations that have had security incidents traced back to Notepad++ processes providing the attackers initial access to the computers.
“I’ve only talked to a small number of victims. They are orgs with interests in East Asia. Activity appears very targeted. Victims report hands on keyboard recon activity, with activity starting around two months ago,” he shared at the time.
The attackers were able to pull off this supply chain attack by leveraging security weaknesses in Notepad++’s updater (WinGUP).
Before version 8.8.8, which was released in mid-November 2025, the updater code was not hardened enough to make it impossible to change the source from which updates are downloaded. Since then, downloads can only be received from GitHub.
(Also, before version 8.8.9, the updater did not validate the integrity and authenticity of the downloaded update file.)
This state of affairs has been exploited by the attackers, who managed to intercept the network traffic between the updater client and the Notepad++ update infrastructure, to deliver and execute a malicious update instead of a benign one.
“Because traffic to notepad-plus-plus.org is fairly rare, it may be possible to sit inside the ISP chain and redirect to a different download,” Beaumont noted in December. “To do this at any kind of scale requires a lot of resources.”
Beaumont shared that the targeted organizations were telecommunications and financial services organizations in East Asia, and attributed the attacks to Chinese nation-state threat actors Zirconium, aka Violet Typhoon.
The supply chain compromise apparently happened in June 2025 and, according to the software’s hosting provider, the shared hosting server remained compromised until September 2, 2025, when the attackers lost access to it after its kernel and firmware were updated.
“Even though the bad actors have lost access to the server from the 2nd of September, 2025, they maintained the credentials of our internal services existing on that server until the 2nd of December, which could have allowed the malicious actors to redirect some of the traffic going to https://notepad-plus-plus.org/getDownloadUrl.php to their own servers and return the updates download URL with compromised updates,” the hosting provider told Dun Ho.
“The bad actors specifically searched for https://notepad-plus-plus.org/ domain with the goal to intercept the traffic to [the Notepad++] website, as they might know the then-existing Notepad++ vulnerabilities related to insufficient update verification controls.”
The hosting provider stated that they have fixed vulnerabilities in the shared hosting server and that the threat actors “tried to re-exploit one of the fixed vulnerabilities” and failed, which seems to suggest this is how they managed to gain access the first time.
Advice for organizations
Ho said that since the incident:
- The Notepad++ website has been migrated to a new hosting provider
- The WinGUP updater has been enhanced so it verifies both the certificate and the signature of the downloaded installer
- The XML file containing the download URL for the update is now signed, and the certificate and signature verification will be enforced starting with the upcoming v8.9.2, to be released in a month.
While Notepad++ is a program that’s used by IT and software development staff in many organizations around the world, it seems that this particular attack was aimed at very specific targets.
That’s why, back in December, Beaumont advised organizations not to over react to the news, but to still check for:
- gup.exe making network requests for other than notepad-plus-plus.org, github.com and release-assets.githubusercontent.com
- unexpected processes spawned by the installer
- specific files (update.exe or AutoUpdater.exe) in the user TEMP folder.
Also, given that other attackers are often peddling malware masquerading as Notepad++, to check whether the version installed on users’ computers is legitimate.
“If you’re a large enterprise who package manage Notepad++ and update it, you may want to block notepad-plus-plus.org or block the gup.exe process from having internet access. You may also want to block internet access from the notepad++.exe process, unless you have robust monitoring for [third-party Notepad++] extensions,” he concluded.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!