A Chinese state-sponsored group compromised Notepad++'s hosting infrastructure from June through December 2025, intercepting update traffic to push malicious installers to targeted users.
A six-month cyberattack against Notepad++ exposed how even widely-used open source tools can become weapons in state-sponsored hacking campaigns. Security researchers now confirm that a Chinese threat actor compromised the text editor's hosting infrastructure, selectively targeting users with trojanized updates between June and December 2025.
The attack didn't exploit vulnerabilities in Notepad++ code itself. Instead, hackers breached the shared hosting provider's infrastructure, gaining the ability to intercept and redirect update requests from specific users to attacker-controlled servers serving malicious payloads.
This is bad.
— Florian Roth ⚡️ (@cyb3rops) February 2, 2026
Putty level bad. https://t.co/3w1C8YiBu8 pic.twitter.com/G9sHBKUoGy
The compromise operated at the infrastructure level, giving attackers unprecedented control over update delivery. When targeted Notepad++ installations checked for updates by contacting notepad-plus-plus.org/update/getDownloadUrl.php, the malicious actors redirected that traffic to their own servers. Those servers returned modified XML manifests pointing to compromised installers instead of legitimate updates.
What made this particularly dangerous was the selective targeting. The attackers didn't spray malware indiscriminately—they chose specific victims, a hallmark of advanced persistent threat operations typically associated with intelligence gathering rather than financial crime.
Multiple independent security researchers examining the attack patterns and infrastructure concluded the threat actor was likely a Chinese state-sponsored group. The highly selective nature of the campaign supports this assessment.
The hosting provider's forensic analysis revealed a complex, evolving compromise:
June 2025: Initial infrastructure breach occurs
September 2, 2025: Scheduled server maintenance and kernel updates inadvertently kicked attackers off the compromised server
September 2 - December 2, 2025: Despite losing direct server access, attackers retained credentials to internal services, allowing them to continue traffic redirection for three more months
November 10, 2025: Security experts' analysis indicates attack activity ceased (though provider data suggests potential access until December 2)
December 2, 2025: Hosting provider completed credential rotation and security hardening, definitively terminating attacker access
The fact that attackers maintained partial access for three months after losing their initial foothold demonstrates sophisticated persistence techniques and deep knowledge of the hosting environment.
Older versions of Notepad++ lacked rigorous update verification controls—a weakness the attackers clearly understood before launching their campaign. The hosting provider's statement explicitly notes that threat actors "might know the then-existing Notepad++ vulnerabilities related to insufficient update verification controls."
This represents a classic supply chain attack vector. Rather than trying to compromise end users directly, the attackers positioned themselves as a man-in-the-middle between legitimate software and its users.
Notepad++ developer Don Ho moved quickly once the compromise was discovered. The project migrated to a new hosting provider with stronger security practices immediately.
Version 8.8.9 introduced critical security enhancements to WinGup, Notepad++'s update component. The updater now verifies both the certificate and digital signature of downloaded installers before executing them. Additionally, the XML manifests returned by update servers are now signed using XMLDSig.
Version 8.9.2, expected within a month of the February 2 disclosure, will enforce these verification requirements, making similar attacks significantly harder to execute.
The former hosting provider also took remedial action after their investigation concluded. They rotated all credentials that could have been compromised, patched vulnerabilities exploited in the attack, and verified that no other customers on the shared hosting environment were targeted. Logs show attackers attempted to re-exploit one of the fixed vulnerabilities after patches were deployed but failed.
Don Ho recommends that all Notepad++ users download version 8.9.1 or later and manually run the installer to ensure they're running clean, verified code. Users should treat this as urgent—any Notepad++ installation that received updates between June and December 2025 could potentially be compromised.
The security community generally advises running antivirus scans and checking for unusual system behavior if you used Notepad++ during the compromise window. Because the targeting was selective, most users were likely unaffected, but caution is warranted.
This incident highlights persistent weaknesses in open source software distribution. While Notepad++ itself had no code vulnerabilities, the infrastructure distributing it became the attack surface. Hosting providers for popular open source projects become high-value targets for sophisticated threat actors.
The attack also demonstrates why cryptographic verification of software updates matters. The verification features added in version 8.8.9 would have prevented this attack entirely if they'd existed earlier. Every software update mechanism should verify signatures before executing downloaded code.
State-sponsored groups continue targeting developer tools and widely-distributed software as force multipliers. Compromising a single update server can potentially reach thousands of targets simultaneously—an efficient approach for intelligence operations.
The silver lining is that the open source community's rapid response and transparency about the incident sets a strong example. Full disclosure helps other projects learn from these attacks and strengthen their own security postures.
