Chinese state-sponsored threat actors were likely behind the hijacking of Notepad++ update traffic last year that lasted for almost half a year, the developer states in an official announcement today.
The attackers intercepted and selectively redirected update requests from certain users to malicious servers, serving tampered update manifests by exploiting a security gap in the Notepad++ update verification controls.
A statement from the hosting provider for the update feature explains that the logs indicate that the attacker compromised the server with the Notepad++ update application.
External security experts helping with the investigation found that the attack started in June 2025. According the developer, the breach had a narrow targeting scope and redirected only specific users to the attacker’s infrastructure.
“Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign,” reads Notepad++’s announcement.
“The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++. “
In December, Notepad++ released version 8.8.9 to address a security weakness in its WinGUp update tool after multiple researchers reported that the updater would receive malicious packages instead of legitimate ones.
Security researcher Kevin Beaumont had warned that he knew of at least three organizations affected by these update hijacks, which were followed by hands-on reconnaissance activity on the network.
Notepad++ is a free and open-source editor for text and source code and a popular tool on Windows, with tens of millions of users across the world.
The developer now explains that the attack occurred in June 2025, when a hosting provider for the software was compromised, enabling the attackers to perform targeted traffic redirections.
In early September, the attacker temporarily lost access when the server kernel and firmware were updated. However, the threat actor was able to regain its foothold by using previously obtained internal service credentials that had not been changed.
This continued until December 2, 2025, when the hosting provider finally detected the breach and terminated the attacker’s access.
Notepad++ has since migrated all clients to a new hosting provider with stronger security, rotated all credentials that could have been stolen by the attackers, fixed exploited vulnerabilities, and thoroughly analyzed logs to confirm that the malicious activity stopped.
Notepad++ users are recommended to take the following actions to strengthen their security:
- Change credentials for SSH, FTP/SFTP, and MySQL
- Review WordPress admin accounts, reset passwords, and remove unnecessary users
- Update WordPress core, plugins, and themes, and enable automatic updates if applicable
Starting from Notepad++ version 8.8.9, WinGup verifies installer certificates and signatures, and the update XML is cryptographically signed.
The developer also stated that they plan to enforce mandatory certificate signature verification in version 8.9.2, which is expected to be released in about a month.
BleepingComputer has contacted the developer for indicators of compromise or other information that could help users determine if they were impacted but we did not receive a reply by publishing time.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.