Popular text editor Notepad++ has revealed that it was hijacked by state-sponsored hackers. The security news was announced today, but the incident itself dates all the way back to June of last year.
The state-sponsored hackers remain unnamed, but are thought to be connected to China. The developer of Notepad++ said that “malicious actors [were able] to intercept and redirect update traffic destined for notepad-plus-plus.org. An investigation is still on-going, but there are some details already.
Perhaps the first thing to mention is that the situation is now under control. While the security issue is now many months old, an update to Notepad++ back in the second half of 2025 addressed some vulnerabilities relating to the app updater.
At the time of the release of Notepad++ v8.8.9, the developers said:
Some security experts recently reported incidents of traffic hijacking affecting Notepad++. According to the investigation, traffic from WinGUp (the Notepad++ updater) was occasionally redirected to malicious servers, resulting in the download of compromised executables.
The review of the reports led to identification of a weakness in the way the updater validates the integrity and authenticity of the downloaded update file. In case an attacker is able to intercept the network traffic between the updater client and the Notepad++ update infrastructure, this weakness can be leveraged by an attacker to prompt the updater to download and executed an unwanted binary (instead of the legitimate Notepad++ update binary). To mitigate this weakness and address the hijacking’s concerns raised by the security researchers, a new security enhancement is being introduced in this release of Notepad++.
Now, in an update about the hijacking, the developers say that investigations have continued with collaboration between security experts and the former shared hosting provider:
According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org. The exact technical mechanism remains under investigation, though the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests.
The incident began from June 2025. Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign.
After providing a statement from the hosting provider, the Notepad++ developers say:
TL;DR
According to the former hosting provider, the shared hosting server was compromised until September 2, 2025. Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers. The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++. All remediation and security hardening were completed by the provider by December 2, 2025, successfully blocking further attacker activity.Note on timelines: The security expert’s analysis indicates the attack ceased on November 10, 2025, while the hosting provider’s statement shows potential attacker access until December 2, 2025. Based on both assessments, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated.
I deeply apologize to all users affected by this hijacking. To address this this severe security issue, the Notepad++ website has been migrated to a new hosting provider with significantly stronger security practices. Within Notepad++ itself, WinGup (the updater) was enhanced in v8.8.9 to verify both the certificate and the signature of the downloaded installer. Additionally, the XML returned by the update server is now singed (XMLDSig), and the certificate & signature verification will be enforced starting with upcoming v8.9.2, expected in about one month.
With these changes and reinforcements, I believe the situation has been fully resolved. Fingers crossed.
Read more here.
![dspm-adoption-in-2025-—-what’s-driving-the-surge?-[q&a]](https://thetechbriefs.com/wp-content/uploads/2025/06/24861-dspm-adoption-in-2025-whats-driving-the-surge-qa.jpg)