Ddos 
The developer behind Notepad++, the ubiquitous open-source text editor found on millions of developer desktops, has confirmed a severe security incident involving a months-long compromise of its update infrastructure. In a transparency report released today, the project revealed that state-sponsored actors hijacked the software’s update mechanism to deliver malicious payloads to select targets.
The incident, which ran from June 2025 until early December 2025, did not exploit a flaw in the software’s code, but rather targeted the servers that host it.
According to the report, the attackers managed to compromise the shared hosting provider used by the Notepad++ project. By gaining access at this high level, they could silently intercept traffic destined for the official website and reroute it to servers under their control.
“The attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org,” the report states.
Crucially, this was not a “spray and pray” attack. The hackers leveraged the compromised infrastructure to perform “highly selective targeting,” delivering malicious update manifests only to specific users of interest while leaving the vast majority of the user base untouched.
The sophistication and selectivity of the campaign point to a well-resourced adversary. Independent security researchers involved in the investigation have assessed that “the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign”.
The attackers exploited “insufficient update verification controls that existed in older versions of Notepad++” to push these poisoned updates. By the time the hosting provider evicted the attackers on December 2, 2025, the campaign had been active for roughly six months.
In response to the breach, the Notepad++ project has migrated its website to a new hosting provider with stricter security practices. Furthermore, the software’s update mechanism, WinGup, has been significantly overhauled in version 8.8.9.
The new updater now has the ability to “verify both the certificate and the signature of the downloaded installer”. Additionally, the project is implementing XMLDSig to sign the XML files returned by the update server, ensuring that the instructions the software receives are authentic.
The project’s lead developer issued a personal apology regarding the incident: “I deeply apologize to all users affected by this hijacking”.
With the infrastructure moved and the code hardened, the project believes the immediate threat is neutralized. As the report concludes: “With these changes and reinforcements, I believe the situation has been fully resolved. Fingers crossed”. Users are strongly advised to update to version 8.8.9 or later immediately to benefit from the new verification protections.
Related Posts:
- Popular Chinese Text Editors Compromised in Targeted Attack
- Notepad Goes Private: Microsoft Adds On-Device AI
- Hackers make poisoned Final Cut Pro specifically to target Mac users
- AI Unleashed: Microsoft Reinvents Notepad and Paint for 2026
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
