The maintainer of Notepad++ has revealed that state-sponsored attackers hijacked the utility's update mechanism to redirect update traffic to malicious servers instead This article explores occasionally redirected malicious. . "The attack involved [an] infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org," stated Don Ho, a developer.

"Vulnerabilities in Notepad++ code itself were not the cause of the compromise; rather, it happened at the hosting provider level." The exact mechanism through which this was realized is currently being investigated, Ho added. The development comes a little over a month after Notepad++ released version 8.8.9 to address an issue that resulted in traffic from WinGUp, the Notepad++ updater, being "occasionally" redirected to malicious domains, resulting in the download of poisoned executables.

Specifically, the problem stemmed from the way the updater verified the integrity and authenticity of the downloaded update file, allowing an attacker who is able to intercept network traffic between the updater client and the update server to trick the tool into downloading a different binary instead. This redirection is thought to have been highly targeted, as only specific users' traffic was sent to the rogue servers, which then retrieved the malicious components. It is estimated that the incident started in June 2025, which is more than six months before it was discovered.

Independent security researcher Kevin Beaumont revealed that the flaw was being exploited by threat actors in China to hijack networks and deceive targets into downloading malware.

In response to the security incident, the Notepad++ website has been migrated to a new hosting provider.