The popular open-source text editor Notepad++ has disclosed a sophisticated supply chain attack that allowed suspected Chinese state-sponsored hackers to hijack its update mechanism and deliver malware to targeted users between June and December 2025. The revelation, detailed in a security advisory published this week, has sent shockwaves through the developer community as millions rely on the lightweight code editor for daily programming tasks.
According to the disclosure, attackers compromised the hosting provider infrastructure rather than the Notepad++ codebase itself, enabling them to intercept and redirect update traffic destined for notepad-plus-plus.org. The advisory stated that traffic from certain targeted users was selectively redirected to attacker-controlled servers that served malicious update manifests, resulting in compromised executable files being downloaded to victim systems instead of legitimate updates.
Security researcher Kevin Beaumont first reported unusual activity affecting Notepad++ users, noting that the attacks specifically targeted telecommunications and financial services companies across East Asia. Beaumont observed that the victims were organizations with interests in East Asia and that activity appeared very targeted, with hands-on-keyboard reconnaissance activity starting around two months ago. Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign.
The attack timeline reveals that bad actors initially gained access to the shared hosting server in June 2025. While the server underwent scheduled maintenance with kernel and firmware updates on September 2 that severed direct server access, the attackers maintained stolen credentials to internal services until December 2, allowing them to continue redirecting update traffic to compromised servers. All remediation and security hardening were completed by the hosting provider by December 2, 2025.
In response to the breach, Notepad++ has migrated to a new hosting provider with significantly stronger security practices and released version 8.8.9 with critical security enhancements. The WinGUp updater component now verifies both the certificate and signature of downloaded installers, and XML update manifests are digitally signed using XMLDSig. Starting with the upcoming version 8.9.2, certificate and signature verification will be mandatory. Users are strongly urged to update immediately and remove any previously installed Notepad++ root certificates, as the latest versions now use certificates issued by GlobalSign.
Comments