The Notepad++ developer has acknowledged that the project's previous shared hosting infrastructure was compromised between June and December 2025 by a targeted attack by a potential Chinese state-sponsored threat actor This article explores attackers notepad v8. . By taking advantage of a flaw in the way the program verified update packages prior to the release of version 8.8.9, the hackers were able to intercept and selectively reroute update traffic to malicious servers.

Infrastructure-Level Hijacking The compromise happened at the infrastructure level rather than due to a flaw in the Notepad++ codebase itself, according to the forensic analysis carried out by independent security experts and the previous hosting provider. The attackers gained access to the shared hosting server, allowing them to intercept requests destined for notepad-plus-plus.org. The attack specifically targeted the getDownloadUrl.php script used by the application’s updater.

By controlling this endpoint, the threat actors could selectively redirect specific users to attacker-controlled servers hosting malicious binaries. Learn more Hardware security modules Cybersecurity vulnerability assessment Windows security software These malicious payloads were served instead of the legitimate update, leveraging the fact that older versions of the updater (WinGUp) did not strictly enforce certificate and signature validation for downloaded installers. Multiple independent security researchers have assessed that the campaign was likely conducted by a Chinese state-sponsored group.

The targeting was described as “highly selective,” focusing on specific users rather than a broad supply-chain infection.

The compromise spanned approximately six months, with the hosting provider identifying two distinct phases of unauthorized access: Date Event Description June 2025 Initial Compromise: Attackers gain access to the shared hosting server. Server Access on September 2, 2025 Lost: A scheduled maintenance update (kernel/firmware) by the provider severed the attackers’ direct server access. September 2–December 2, 2025 Credential Persistence: Despite losing server control, the attackers were able to continue traffic redirection by using stolen internal service credentials.

November 10, 2025 Attack Ceased (Estimate): According to security experts, the ongoing attack campaign seemed to come to an end at this time. Access Terminated December 2, 2025: After completing security hardening and rotating all credentials, the hosting provider successfully stopped the attackers. Notepad++ v8.8.9 with hardened update verification was released on December 9, 2025.

The hosting company verified that the attackers only targeted the Notepad++ domain and did not target any other clients on the shared server. In response to the incident, the Notepad++ website has been migrated to a new provider with enhanced security protocols. Notepad++ version 8.8.9 implemented stringent validation within WinGUp, requiring a valid digital signature and a matching certificate for any downloaded installer, in order to stop similar hijacking attempts.

The update procedure is now automatically stopped if these checks are unsuccessful. Learn more Control of computer access Software for data security Penetration testing services Looking ahead, the project is implementing the XMLDSig (XML Digital Signature) standard for update manifests.

In order to prevent manipulation of the download URLs, this reinforcement will guarantee that the XML data returned by the update server is cryptographically signed. LinkedIn, X for daily cybersecurity updates, and version 8.9.2, which is anticipated to be released within the next month, will enforce this feature. To have your stories featured, get in touch with us.