In a stark reminder of the persistent threat landscape, Notepad++, a widely used free and open-source text editor, has revealed that its update feature was compromised for several months last year. According to an official announcement, suspected Chinese state-sponsored hackers hijacked update traffic, selectively redirecting users to malicious servers and serving tampered update manifests. The incident, which began in June 2025, highlights the increasing sophistication and targeted nature of cyberattacks, even against seemingly innocuous software.
Details of the Attack
The attack exploited a vulnerability in Notepad++’s update verification controls. By compromising the hosting provider responsible for the update feature, the attackers were able to intercept and redirect update requests from specific users. This allowed them to deliver malicious packages disguised as legitimate updates. The developer confirmed that the breach was highly targeted, affecting only a select group of users. Security researchers involved in the investigation believe that the threat actor is likely a Chinese state-sponsored group, given the campaign’s targeted nature.
“Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign,” Notepad++ stated in its announcement.
The attackers specifically targeted the Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++. This allowed them to inject malicious code into the systems of unsuspecting users. The compromise persisted for nearly half a year, from June to December 2025, before being detected and terminated by the hosting provider.
Timeline and Response
The initial compromise occurred in June 2025, when the attackers gained access to the hosting provider’s server. After a temporary disruption in early September due to server maintenance, the attackers regained access using previously obtained internal service credentials that had not been changed. The hosting provider finally detected the breach on December 2, 2025, and terminated the attacker’s access.
Notepad++ has since taken several steps to mitigate the impact of the attack and prevent future incidents. These measures include migrating all clients to a new hosting provider with stronger security, rotating all potentially compromised credentials, fixing the exploited vulnerabilities, and thoroughly analyzing logs to confirm that the malicious activity has stopped. Notably, version 8.8.9, released in December, addressed a security weakness in its WinGUp update tool by implementing installer certificate and signature verification. The developer also plans to enforce mandatory certificate signature verification in version 8.9.2, expected to be released soon.
Implications and Recommendations
This incident serves as a critical reminder of the importance of robust security practices, not only for software developers but also for users. Even widely used and trusted software can be vulnerable to sophisticated attacks, particularly those orchestrated by state-sponsored actors. The targeted nature of this attack suggests that the attackers had specific objectives in mind, potentially related to espionage, intellectual property theft, or other strategic goals.
For Notepad++ users, the developer recommends changing credentials for SSH, FTP/SFTP, and MySQL, reviewing and securing WordPress admin accounts, and updating WordPress core, plugins, and themes. These measures can help prevent attackers from exploiting compromised systems to gain further access to sensitive data or infrastructure.
More broadly, this incident underscores the need for software developers to prioritize security throughout the software development lifecycle. This includes implementing strong update verification controls, regularly auditing security practices, and promptly addressing vulnerabilities.
The Notepad++ incident is a cautionary tale for the software industry and users alike. It highlights the need for constant vigilance and proactive security measures to protect against increasingly sophisticated cyber threats.
Source: BleepingComputer




