The developer of Notepad++ has reportedly noted that its software update mechanism was covertly hijacked for several months last year, with evidence suggesting the operation was carried out by a Chinese state sponsored threat group.
According to Bleepingcomputer, attackers intercepted and selectively redirected update requests, steering certain users towards malicious servers and delivering tampered update information. The breach is believed to have begun in June 2025 and continued until early December.
Selective targeting of users
Rather than launching a broad attack, the intruders reportedly focused on specific victims. Security experts assisting the investigation said the redirections were highly selective, affecting only chosen systems rather than the wider Notepad++ user base.
Reportedly, researchers noted that this narrow scope, combined with the sophistication of the intrusion, points to a state backed actor. Multiple independent analysts concluded the activity was likely linked to a Chinese government aligned group.
The attackers are said to have exploited weaknesses in older versions of Notepad++’s WinGUp update tool, which lacked sufficient verification checks for update files.
Hosting provider compromise
Logs from the hosting provider may indicate that the server supporting Notepad++’s update application was compromised. This reportedly allowed the attackers to manipulate traffic and deliver malicious update manifests.
Reportedly, the breach temporarily stalled in early September after the server’s kernel and firmware were upgraded. However, the threat actor reportedly regained entry using internal service credentials that had not been rotated.
The unauthorised access persisted until 2 December 2025, when the hosting provider detected suspicious activity and terminated the connection.
Security fixes rolled out
In response, Notepad++ has migrated its infrastructure to a new hosting provider with stronger safeguards. The team has also rotated potentially exposed credentials, patched vulnerabilities and reviewed logs to confirm that the malicious activity has ceased.
The project previously released version 8.8.9 in December to address issues in the WinGUp updater. From that release onward, installer certificates and signatures are verified and the update XML files are cryptographically signed.
A further change is planned for version 8.9.2, which will introduce mandatory certificate signature verification for updates.
Users urged to take precautions
Although the campaign appears limited in scope, users are being advised to strengthen their security posture. Recommended steps include changing SSH, FTP/SFTP and MySQL credentials, reviewing WordPress administrator accounts, removing unnecessary users and enabling automatic updates for core software, plugins and themes.
Security researcher Kevin Beaumont previously warned that at least three organisations experienced follow up reconnaissance activity after being affected by the hijacked updates.
