Chinese state-sponsored threat actors were likely behind the hijacking of Notepad++ update traffic last year that lasted for almost half a year, the developer states in an official announcement today.
The attackers intercepted and selectively redirected update requests from certain users to malicious servers, serving tampered update manifests by exploiting a security gap in the Notepad++ update verification controls.
A statement from the hosting provider for the update feature explains that the logs indicate that the attacker compromised the server with the Notepad++ update application.
External security experts helping with the investigation found that the attack started in June 2025. According the developer, the breach had a narrow targeting scope and redirected only specific users to the attacker’s infrastructure.
“Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign,” reads Notepad++’s announcement.
"The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++. "
In December, Notepad++ released version 8.8.9 to address a security weakness in its WinGUp update tool after multiple researchers reported that the updater would receive malicious packages instead of legitimate ones.
Security researcher Kevin Beaumont had warned that he knew of at least three organizations affected by these update hijacks, which were followed by hands-on reconnaissance activity on the network.
Notepad++ is a free and open-source editor for text and source code and a popular tool on Windows, with tens of millions of users across the world.
The developer now explains that the attack occurred in June 2025, when a hosting provider for the software was compromised, enabling the attackers to perform targeted traffic redirections.
... continue reading