-
A Chinese state-supported group likely compromised Notepad++’s hosting infrastructure for six months between June as well as December 2025.
-
Malicious servers redirected select warranties to malefactor servers, and that was exploiting weak authentication/validation within prior versions of software.
-
Instead, targeted certain users with compromise instead of compromising the entire Notepad++ supply chain.
A popular text editor used by millions just confirmed what security experts feared most. Notepad++ fell victim to a sophisticated infrastructure hijack. For half a year, attackers controlled part of the update system. They could have delivered malware to anyone downloading updates.
The developer of Notepad++ confirmed the targeted attack manipulated the project’s ex-shared hosting system. The breach ran from June through December 2025. Attackers intercepted and selectively redirected update traffic to malicious servers. They exploited a critical weakness in how the software validated update packages before version 8.8.9 was released.
Attackers Controlled the Update Pipeline
The compromise happened at the infrastructure level, not through flaws in Notepad++’s code itself. Independent security expert forensic investigations have shown that the attack involved the exploitation of the shared hosting server.
Using the requests that were sent to notepad-plus-plus.org, the attackers could then correlate their actions to what they were trying to accomplish.
The attackers specifically look for the getDownloadUrl.php script on the server that can perform updates. When they manipulate this script, the attacker can direct users to a server they control and have them download malicious binaries rather than the legitimate updates.
This scheme worked because the older versions of the updater (WinGUp) did not enforce strict certificate and signature validation for the installers downloaded by the application.
Had the attackers chosen to deploy malware, they could have utilized tools like the newly emerged ‘CastleCrypt’ malware crypter, designed to bypass security software to increase their chances of infecting targets undetected.
Chinese-Sponsored Group to Target “Highly Selective”
Numerous different independent security experts confirmed that the attack was most likely carried out by an organisation associated with the Chinese Government. The goal of the attackers was to be very non-visible to most users; therefore, they targeted disparate individuals and not a “wide” resident-based infection.
This pattern of sophisticated, targeted compromise aligns with other major cyberattacks on high-value targets, including the major cyberattack on the U.S. Supreme Court for which a hacker recently pleaded guilty, highlighting the broad scope of objectives in modern cyber campaigns.
The timing of the attack also spanned approximately 6 months and was divided into 2 phases. The first intrusion took place in June of 2025 when the hackers gained access to the shared hosting service and then from September 2 until the scheduled provider maintenance in early October, which disrupted any further access to the shared hosting server, the hackers had continued to gain access to the shared hosting server also via having stolen the internal service credentials between September and December 2.
This allowed subsequent traffic redirection even while having no control over the server. According to Security experts, the attack campaign seemed to halt around November 10, 2025. The hosting provider flipped around all details and finished security strengthening on December 2, 2025, ultimately limiting the attackers.
Notepad++ Fights Back with Hardened Security
The provider verified that no subsequent clients on the “shared server” were under attack. The bad actors were specific in hunting the Notepad++ domain. The Notepad++ website has now moved over to a newly secured hosting provider with a new enhanced security framework, which provides much better protection against similar hijacking incidents.
To assist in the prevention of future hijacking attempts notepad++ v8.8.9 includes enhanced validation checks within WinGUp. It now requires both a valid digital signature and a matching certificate for any downloaded installer. Should these validations crumble, the update becomes auto-aborted.
Looking forward, the project aims at adopting the XML Digital Signature (XMLDSig) standard for “update manifests.” With this new implementation, it will become possible to cryptographically sign and thus protect the integrity of the XML data received from the update server in order to prevent changed download URLs. This will be enforced in release version 8.9.2, which is due within the next month.
This is indicative of an overall trend developing. Country-sponsored actors are now targeting dependent software systems as well, rather than solely relying on government or corporate targets. The length of time that these attackers maintained access is an example of how complex these attacks have become.
One other sign that keeping current with regard to patching might not be quite enough. Being cautious about where one sources software from really has an impact.
