Notepad++, a free open source text and code editor for the Windows operating system, suffered an “infrastructure-level compromise” last year by threat actors seeking to deliver malware to selected users.
A post-mortem of the incident which started in June 2025, and which was reported to Notepad++ by security researchers, suggested the shared hosting server for the text editor was compromised until December 2 last year.
This was in conjunction with a vulnerability in older versions of Notepad++ discovered in 2025.
Rapid7 dropped a write-up on the Notepad++ update-chain abuse and – finally – it comes with real IOCs
– update.exe downloaded from 95.179.213[.]0 after notepad++.exe -> GUP.exe
– file hashes for update.exe / log.dll / BluetoothService.exe / conf.c / libtcc.dll
– network IOCs… https://t.co/VHTF3pngJn pic.twitter.com/UlLkyZM6eC— Florian Roth (@cyb3rops) February 2, 2026
The compromise officially came to light last year, when the Notepad++ developer Don Ho announced the release of version 8.8.9 which contained a fix for a traffic hijacking vulnerability.
“… Traffic from WinGUp (the Notepad++ updater) was occasionally redirected to malicious servers, resulting in the download of compromised executables,” Ho wrote.
A weakness in the way WinGUP validated the integrity and authenticity of the update file allowed an attacker to intercept network traffic between the downloaded code and the Notepad++ infrastructure.
In turn this could be abused by an attacker to make the updater to download and run a malicious binary file, instead of the expected, legitimate Notepad++ one.
Unnamed Chinese state-sponsored threat actors selectively targeting specific Notepad++ users are thought by security researchers to be behind the attack.
Notepad++ has now moved to new hosting provider with “significantly stronger security practices” so as to prevent a repeat of the compromise.
Better certificate and signature verification has been added to the WinGUP updater to ensure the integrity of the downloaded Notepad++ installer.
Notepad++ version 8.9.1 contains the security fixes, and Ho suggsted updating the text editor manually as well.