For almost six months, Notepad++'s software update mechanism was taken over by a likely China-sponsored threat actor, who discreetly directed targeted users of the well-known source code editor to malicious downloads This article explores compromise notepad updates. . An infrastructure-level breach at Notepad++'s hosting provider allowed the attackers to intercept update traffic intended for the legitimate notepad-plus-plus.org domain and reroute it to attacker-controlled servers that delivered malicious payloads.

The breach occurred between June and December of 2025. The most recent instance of supply chain attacks targeting the software ecosystem, which have become more frequent in recent years, is the compromise of Notepad++'s updates.

Updates Are Hijacked Due to a Compromised Hosting Provider The primary Notepad++ maintainer, Dan Ho, stated in a blog post on Monday that "the exact technical mechanism remains under investigation, though the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself." "Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests." Related: OpenClaw AI Goes Crazy in Corporate Settings Notepad++ is an open source text and source-code editor widely used by developers and programmers. Related:Months After Patch, WinRAR Bug Poised to Hit SMBs Hardest Additionally, to make it more difficult for an attacker to change the update instructions while they are being transmitted, the update server now digitally signs the instructions it sends to the client.

Notepad++ will strictly enforce these checks starting with version 8.9.2, which means the updater won't install anything that doesn't pass verification, he said. The attack was linked to Violet Typhoon, a China-based advanced persistent threat (APT) actor that some track as APT31 and Zirconium, according to security researcher Kevin Beaumont, who first reported on a few Notepad++ compromises. According to Beaumont, the targets of the threat group's attack via Notepad++'s updater included financial services companies and telecom providers of strategic interest to China.

Meanwhile, Lotus Blossom, another APT with ties to China, was blamed by Rapid7 for the supply chain attack.