For years, Notepad++ has been one of those tools people install without a second thought. It is lightweight, free, and trusted by IT administrators, developers, students, and security researchers. That trust is exactly what made the latest disclosure around its update system so serious.
In a detailed statement published alongside the v8.8.9 release, Notepad++ maintainer Don Ho confirmed today that the software’s update infrastructure had been compromised through its former hosting provider.
The breach did not take place due to vulnerabilities in Notepad++‘s code itself. It involved attackers gaining control at the hosting level, allowing them to intercept update traffic and redirect selected users to attacker-controlled servers that served malicious binaries.
According to combined findings by NotePad++ and the hosting provider, the initial breach took place in June 2025 and continued in various forms until atleast November with remaining access possibly lasting until December 2, 2025.
The hosting company also acknowledges that the breach affected a shared hosting server responsible for handling update requests. What’s worse, even after attackers lost direct access following scheduled kernel and firmware updates in early September, they retained credentials to internal services. That access allowed continued manipulation of update responses, effectively letting them change where the updater pointed users for downloads.
What’s worth noting is that the logs reviewed by both the provider and external experts revealed that attackers focused almost exclusively on the notepad-plus-plus.org domain. Other customers hosted on the same infrastructure do not appear to have been affected, which points to deliberate targeting rather than opportunistic abuse.
For now, the true scale of the damage remains unclear. There is no public estimate of how many users were redirected or what malware families were distributed. Given Notepad++’s reach across personal systems, universities, and enterprise environments, even limited targeting could have had a serious downstream impact.
The good news is that the Notepad++ website and update services have been migrated to a new hosting provider, and significant changes have been made to how updates are validated. Starting with v8.8.9, WinGUp now verifies both installer signatures and certificates. Update responses are also signed using XML digital signatures, with strict enforcement planned for v8.9.2.
Security researchers involved in the investigation believe the campaign showed signs of a Chinese state-sponsored operation. The selective nature of the redirections, combined with the patience and precision involved, aligns with activity normally associated with advanced persistent threat groups rather than criminal malware operations.
Expert View
Commenting on the incident, Cassius Edison, COO of Closed Door Security, said the attack highlights ongoing risks around trusted software distribution channels.
“This attack represents another serious supply chain attack, potentially affecting millions of devices,” Edison said. “Notepad++ is ubiquitous across IT and development environments, and that level of trust makes this kind of compromise extremely dangerous. While the breach did not originate in the software itself, attackers were able to sit inside the update infrastructure for months and manipulate where users were sent.”
Edison added that while the activity appears targeted, users should not assume they were unaffected simply because no visible issues appeared. Keeping systems up to date and monitoring for unusual behavior remain essential, particularly on machines connected to larger networks.
Notepad++’s maintainer has publicly apologized to users and stated that the incident is now fully contained. With infrastructure changes completed and stronger client-side verification rolling out, the risk of similar hijacking attempts has been significantly reduced.
Still, the episode serves as a clear warning about how even well-maintained open source tools can become attack vectors when third-party infrastructure is compromised. In a software ecosystem built on trust, update channels remain one of the most valuable targets attackers can find.