The maintainer of Notepad++ has disclosed that state-sponsored threat actors compromised the text editor’s update infrastructure, redirecting some users to malicious servers.
According to developer Don Ho, the attack involved an infrastructure-level breach at Notepad++’s hosting provider, not vulnerabilities in the application’s source code. The compromise allowed attackers, believed to be linked to China, to intercept and reroute update traffic intended for notepad-plus-plus.org. Ho said the exact technical details of the intrusion are still under investigation.
The disclosure follows a Notepad++ update released just over a month ago (version 8.8.9), which addressed an issue in the project’s updater WinGUp. The flaw occasionally caused update traffic to be redirected to malicious domains, resulting in the download of tampered executables. The weakness involved insufficient verification of the integrity and authenticity of update files.
“Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests,” the developer said.
Security experts involved in the investigation estimate the campaign began in June 2025, more than six months before it was publicly detected.
Independent security researcher Kevin Beaumont reported that the flaw was actively exploited by China-linked threat actors to compromise networks and trick victims into installing malware. In response, the Notepad++ project has migrated its website to a new hosting provider.
Ho said the former hosting provider confirmed that a shared hosting server was compromised until September 2, 2025. Even after access to the server was cut off, attackers reportedly retained credentials to internal services until December 2, 2025, enabling them to continue redirecting update traffic to rogue servers.
“To address this severe security issue, the Notepad++ website has been migrated to a new hosting provider with significantly stronger security practices,” Ho said. “Within Notepad++ itself, WinGup (the updater) was enhanced in v8.8.9 to verify both the certificate and the signature of the downloaded installer. Additionally, the XML returned by the update server is now singed (XMLDSig), and the certificate & signature verification will be enforced starting with upcoming v8.9.2, expected in about one month.”