An investigation into Notepad++ update infrastructure compromise found that from June 2025, a shared hosting server was breached by a threat actor believed to be a Chinese state-sponsored group, enabling interception and redirection of Notepad++ update traffic. Although server access was lost on September 2, 2025, attackers maintained credentials until December 2, 2025, continuing malicious update redirection. These attacks exploited older insufficient update verification methods in Notepad++. The hosting provider undertook remediation and security hardening, fully terminating attacker access by December 2. Notepad++ subsequently migrated to a new hosting provider with enhanced security, strengthened update verification via WinGup in v8.8.9, and plans to enforce signature validation with upcoming v8.9.2. Users are urged to update to v8.9.1 to apply security enhancements. The developer apologizes for user impact and considers the issue resolved.
Category: Cyber & Information Warfare
Subcategory: Cyber Attacks
Incident Type: Hacking, malware, ransomware
Country: Unknown
Source report: notepad-plus-plus.org/news/hija…
