Notepad++ vulnerability: State-sponsored hackers hijacked Notepad++ and redirected update traffic for months

For nearly half a year, one of the world’s most widely used text editors quietly sat at the center of a supply-chain attack that few users ever saw coming.

Notepad++ has confirmed that a suspected Chinese state-sponsored hacking group compromised its update delivery infrastructure, selectively redirecting certain users to malicious installers between June and December 2025. The project says the breach did not stem from flaws in its codebase, but from a compromise at the shared hosting provider level that allowed attackers to interfere with update traffic in flight.

The incident began in June 2025, when attackers gained access to a shared hosting server that served update requests for notepad-plus-plus.org. Security researchers involved in the investigation say the attackers demonstrated a high level of precision, targeting only specific traffic rather than indiscriminately infecting all users. That selectivity, paired with the infrastructure-level access, led multiple independent analysts to conclude the operation was likely state-backed.

“According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org. The exact technical mechanism remains under investigation, though the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled malicious update manifests,” Notepad++ said in a statement.

Notepad++ Hacked: Confirms Targeted State-Backed Attack That Redirected Users to Malicious Updates

According to findings shared by Notepad++ and its former hosting provider, the attackers initially retained direct access to the server until September 2, 2025. A scheduled kernel and firmware update that day appears to have cut off that access. However, the attack did not end.

Logs reviewed during the investigation show that the attackers had already obtained credentials tied to internal hosting services. Those credentials remained valid until December 2, 2025, allowing continued redirection of update requests long after the server itself had been secured. In practical terms, that meant some users requesting update information from Notepad++ were quietly sent elsewhere, receiving malicious update manifests controlled by the attackers.

The hosting provider says no other customers on the same infrastructure were targeted. Logs indicate the attackers searched directly for the notepad-plus-plus.org domain and focused on the project’s update endpoint, apparently aware that older versions of Notepad++ relied on insufficient update verification controls.

The hosting provider’s statement outlines a cleanup process that wrapped up in early December. Vulnerabilities believed to have been used in the attack were patched, all internal credentials were rotated, and log reviews across other servers failed to surface similar activity. The provider says the attackers’ later attempt to reenter the environment was unsuccessful.

There remains some uncertainty around the precise end date of the attack. Independent security experts involved in the response believe malicious activity stopped around November 10, 2025. The hosting provider’s records suggest credential-based access could have persisted until December 2. Based on both accounts, Notepad++ now estimates the full compromise window stretched from June through early December.

Once the scope became clear, Notepad++ took corrective action. The project migrated its website and update infrastructure to a new hosting provider with stricter security controls. Inside the application itself, changes landed quickly.

In version 8.8.9, the WinGup updater was modified to verify both the certificate and the signature of downloaded installers. The XML data returned by the update server is now signed as well, with enforcement of certificate and signature checks scheduled to become mandatory in version 8.9.2, expected in the coming weeks. Those changes aim to prevent updated traffic from being altered without detection, even if an upstream system were compromised again.

“I deeply apologize to all users affected by this hijacking,” the project’s maintainer wrote in the disclosure. Users are encouraged to manually install version 8.9.1 or newer to receive the security improvements.

The investigation left one notable gap. Despite reviewing roughly 400 GB of server logs, the incident response team was unable to extract concrete indicators of compromise such as hashes, domains, or IP addresses. Requests for indicators from the former hosting provider did not yield additional data. That absence makes independent detection harder for organizations attempting retrospective analysis.

On February 3, 2026, Notepad++ updated its disclosure after Rapid7 reached out to share its own parallel investigation. The security firm reported findings consistent with Notepad++’s account and said it had uncovered more tangible forensic evidence, including indicators tied to the campaign.

For users, the episode serves as another reminder that supply-chain attacks no longer require breaching application code to succeed. Control over infrastructure, credentials, or update pathways can be enough, especially when trust in software updates runs deep.

Notepad++ believes the incident has been fully contained. With infrastructure changes in place and stricter verification enforced in upcoming releases, the project says the update channel is now secure. Fingers crossed.

Below is the message Notepad++ sent to its users.

Dear Customer,
We want to further update you following the previous communication with us about your server compromise and further investigation with your incident response team.
We discovered the suspicious events in our logs, which indicate that the server (where your application https://notepad-plus-plus.org/update/getDownloadUrl.php was hosted until the 1st of December, 2025) could have been compromised.
As a precautionary measure, we immediately transferred all clients’ web hosting subscriptions from this server to a new server and continued our further investigation.
Here are the key finding points:
1. The shared hosting server in question was compromised until the 2nd of September, 2025. On this particular date, the server had scheduled maintenance where the kernel and firmware were updated. After this date, we could not identify any similar patterns in logs, and this indicates that bad actors have lost access to the server. We also find no evidence of similar patterns on any other shared hosting servers.
2. Even though the bad actors have lost access to the server from the 2nd of September, 2025, they maintained the credentials of our internal services existing on that server until the 2nd of December, which could have allowed the malicious actors to redirect some of the traffic going to https://notepad-plus-plus.org/getDownloadUrl.php to their own servers and return the updates download URL with compromised updates.
3. Based on our logs, we see no other clients hosted on this particular server being targeted. The bad actors specifically searched for https://notepad-plus-plus.org/ domain with the goal to intercept the traffic to your website, as they might know the then-existing Notepad++ vulnerabilities related to insufficient update verification controls.
4. After concluding our research, the investigated security findings were no longer observed in the web hosting systems from the 2nd of December, 2025, and onwards, as:
* We have fixed vulnerabilities, which could have been used to target Notepad++. In particular, we do have logs indicating that the bad actor tried to re-exploit one of the fixed vulnerabilities; however, the attempt did not succeed after the fix was implemented.
* We have rotated all the credentials that bad actors could have obtained until the 2nd of September, 2025.
* We have checked the logs for similar patterns in all web hosting servers and couldn’t find any evidence of systems being compromised, exploited in a similar way, or data breached.
While we have rotated all the secrets on our end, below you will find the preventive actions you should take to maximize your security. However, if below actions have been done after the 2nd of December, 2025, no actions are needed from your side.
* Change credentials for SSH, FTP/SFTP, and MySQL database.
* Review administrator accounts for your WordPress sites (if you have any), change their passwords, and remove unnecessary users.
* Update your WordPress sites (if you have any) plugins, themes, and core version, and turn on automatic updates, if applicable.