A months-long cyber-espionage campaign targeting Notepad++ users has been traced to a compromise of the app’s former shared hosting provider, enabling attackers to deliver malicious updates through hijacked traffic.
The attack, now attributed to a likely Chinese state-sponsored group, exploited infrastructure-level weaknesses rather than vulnerabilities in Notepad++ itself.
The incident, which first surfaced with a security fix in Notepad++ v8.8.9 in December 2025, has now been fully disclosed following an extended investigation. According to the project’s developer, malicious actors intercepted update traffic intended for notepad-plus-plus.org and selectively redirected users to attacker-controlled servers that hosted tampered update manifests. This redirection allowed the delivery of compromised executables to users, exploiting a previously unaddressed gap in the updater’s verification process.
Security researchers and the Notepad++ developer traced the compromise to the application’s shared hosting provider, which admitted that one of its servers had been infiltrated. The attackers maintained stealthy access to internal services from June through early December 2025. Although server-level access was lost on September 2 during scheduled maintenance, the adversaries retained credentials that enabled them to continue manipulating update traffic until December 2.
Notepad++ is a widely used open-source text and code editor for Windows, popular among developers, sysadmins, and other technical users for its lightweight performance and plugin ecosystem. With millions of users globally, it’s a high-value target for advanced threat actors seeking to distribute malicious payloads to developer environments or to infiltrate larger networks via supply-chain compromise.
The attacker’s primary goal was to subvert the update channel by exploiting previously lax validation in WinGUp’s update mechanism.
Independent analysts and threat intelligence experts have assessed the sophistication and selectivity of the operation as consistent with Chinese state-backed threat groups. The campaign specifically targeted users rather than indiscriminately compromising all update downloads, suggesting a focused cyber-espionage objective rather than broad malware distribution.
To mitigate the breach, the Notepad++ website has since migrated to a new hosting provider with hardened security. On the application side, multiple countermeasures have been introduced:
- As of version 8.8.9, WinGUp enforces verification of both the digital signature and certificate of downloaded update installers.
- The update manifest, which instructs WinGUp where to download updates, is now cryptographically signed using XMLDSig.
- Starting with version 8.9.2 (expected in early March 2026), both signature and certificate verification for update instructions will be strictly enforced.
The developer has expressed confidence that these remediations fully neutralize the attack vector and restore the integrity of Notepad++ updates. Users running older versions are strongly urged to upgrade immediately and validate their installations.
Leave a Reply