The Notepad++ developer has acknowledged that the project's previous shared hosting infrastructure was compromised between June and December 2025 by a targeted attack by a potential Chinese state-sponsored threat actor This article explores attackers targeted notepad. . By taking advantage of a flaw in the way the program verified update packages prior to the release of version 8.8.9, the hackers were able to intercept and selectively reroute update traffic to malicious servers.

Infrastructure-Level Hijacking The compromise happened at the infrastructure level rather than due to a flaw in the Notepad++ codebase itself, according to the forensic analysis carried out by independent security experts and the previous hosting provider. By gaining access to the shared hosting server, the attackers were able to intercept requests meant for notepad-plus-plus.org. The attack specifically targeted the getDownloadUrl.php script used by the application’s updater.

Threat actors could selectively reroute particular users to servers under their control that are hosting malicious binaries by controlling this endpoint. Learn more Apps for secure messaging Tools for ethical hacking Threat intelligence reports Because earlier versions of the updater (WinGUp) did not strictly enforce certificate and signature validation for downloaded installers, these malicious payloads were served in place of the official update. Multiple independent security researchers have assessed that the campaign was likely conducted by a Chinese state-sponsored group.

The targeting was described as “highly selective,” focusing on specific users rather than a broad supply-chain infection.

The compromise spanned approximately six months, with the hosting provider identifying two distinct phases of unauthorized access: Date Event Description June 2025 First Compromise: The shared hosting server is accessed by attackers. September 2, 2025 Server Access Lost: A scheduled maintenance update (kernel/firmware) by the provider severed the attackers’ direct server access. September 2–December 2, 2025 Credential Persistence: Attackers maintained access via stolen internal service credentials, allowing continued traffic redirection despite losing server control.

November 10, 2025 Attack Ceased (Estimate): According to security experts, the ongoing attack campaign seemed to come to an end at this time. December 2, 2025 Access Terminated: Hosting provider rotated all credentials and completed security hardening, definitively blocking the attackers. December 9, 2025 Mitigation Released: Notepad++ v8.8.9 released with hardened update verification.

The hosting company verified that the attackers only targeted the Notepad++ domain and did not target any other clients on the shared server. The Notepad++ website has been moved to a new provider with improved security measures in reaction to the incident. Notepad++ version 8.8.9 implemented stringent validation within WinGUp, requiring a valid digital signature and a matching certificate for any downloaded installer, in order to stop similar hijacking attempts.

The update procedure is now automatically stopped if these checks are unsuccessful. Learn more Consulting services for cybersecurity Plugin for WordPress security Courses for cybersecurity training Looking ahead, the project is implementing the XMLDSig (XML Digital Signature) standard for update manifests.

This reinforcement will ensure that the XML data returned by the update server is cryptographically signed, preventing tampering with the download URLs. LinkedIn, X for daily cybersecurity updates, and version 8.9.2, which is anticipated to be released within the next month, will enforce this feature. To have your stories featured, get in touch with us.