The popular open-source text editor Notepad++ has disclosed a serious supply chain attack that occurred between June and December 2025, in which attackers compromised its web hosting infrastructure to distribute malicious update files to a limited number of users.
According to the project’s lead developer Don Ho and multiple independent cybersecurity researchers, the attack did not exploit a vulnerability in Notepad++’s source code. Instead, threat actors intercepted the update delivery mechanism, redirecting some users to tampered installers. Security experts believe the operation bears the hallmarks of a Chinese state-sponsored threat group.
A Hosting Infrastructure Breach, Not a Software Vulnerability
Crucially, the attackers did not find or exploit a flaw in the Notepad++ application itself. The compromise occurred at the hosting level, targeting the shared server that hosted the official website notepad-plus-plus.org.
By gaining access to this server, the attackers were able to:
- Intercept update requests made by the software
- Redirect those requests to attacker-controlled servers
- Serve modified update manifests pointing to malicious installers
When affected users checked for updates inside Notepad++, their requests to getDownloadUrl.php were silently redirected. Instead of receiving legitimate update information, they were sent altered XML files that instructed the app to download compromised versions of Notepad++.
Long-Term Persistence Confirmed by the Hosting Provider
The former hosting provider later confirmed that the shared server had been compromised until September 2, 2025. Although a maintenance operation updated the kernel and firmware—cutting off the attackers’ direct access—the incident did not end there.
Investigators discovered that the attackers had retained valid internal service credentials, allowing them to continue manipulating traffic until December 2, 2025. This persistence enabled the malicious redirection campaign to continue for an additional three months, highlighting the sophistication of the operation.
Evidence Points to a Targeted, State-Sponsored Chinese Group
The attack was highly selective. According to the hosting provider, no other customers on the shared server were targeted. The attackers focused exclusively on notepad-plus-plus.org, suggesting prior knowledge of weaknesses in older update verification mechanisms.
Independent security researchers analyzing the incident concluded that:
- Only specific update streams were redirected
- The operation remained stealthy for six months
- The tactics align with known state-sponsored cyber-espionage campaigns
These characteristics strongly suggest the involvement of a Chinese government-backed threat actor, rather than opportunistic cybercriminals.
Comprehensive Security Fixes Deployed Across Infrastructure and Software
In response to the breach, Don Ho and the Notepad++ team implemented multiple layers of remediation.
Infrastructure Changes
- The official Notepad++ website was migrated to a new hosting provider with stronger security controls
- The former host rotated all compromised credentials
- A full audit confirmed no other servers were affected
Software-Level Security Improvements
Major changes were introduced in Notepad++ version 8.8.9, released in late January 2026:
- The WinGup update component now verifies both:
- The digital certificate
- The cryptographic signature of downloaded installers
- Update manifests returned by the server are now digitally signed using XMLDSig
Starting with version 8.9.2, expected within weeks, these checks will become mandatory, making it effectively impossible to inject malicious updates—even if the hosting infrastructure were compromised again.
No Ongoing Threat Detected
The hosting provider confirmed that all attacker access was permanently revoked on December 2, 2025, and no suspicious activity has been detected since. Based on current evidence, the incident is considered fully contained and resolved.
What Notepad++ Users Should Do Now
If you installed or updated Notepad++ between June and December 2025, you should take precautionary steps:
- Uninstall Notepad++ completely
- Download the latest version directly from the official Notepad++ website
- Reinstall using the verified installer
Users running Notepad++ 8.8.9 or newer already benefit from enhanced update security. These versions automatically verify the authenticity of downloaded files, blocking any malicious modifications.
Don Ho has issued a public apology to affected users and stated that the combination of new hosting, stronger cryptographic verification, and mandatory signature checks should prevent similar incidents in the future.
Final Thoughts
This Notepad++ incident is a stark reminder that supply chain attacks do not always target software code directly. Compromising infrastructure—especially update delivery systems—can be just as effective for sophisticated threat actors.
By responding quickly, improving transparency, and significantly strengthening update verification, the Notepad++ project has taken decisive steps to restore trust. For users, keeping software up to date and verifying official download sources remains more important than ever.
And if you'd like to go a step further in supporting us, you can treat us to a virtual coffee ☕️. Thank you for your support ❤️!
We do not support or promote any form of piracy, copyright infringement, or illegal use of software, video content, or digital resources.
Any mention of third-party sites, tools, or platforms is purely for informational purposes. It is the responsibility of each reader to comply with the laws in their country, as well as the terms of use of the services mentioned.
We strongly encourage the use of legal, open-source, or official solutions in a responsible manner.
Comments