Notepad++ update service hijacked in targeted state-linked attack

A state-sponsored cyber criminal compromised Notepad++'s update service in 2025, according to the project's author.

The admission comes after version 8.8.9 of the text editor was released on December 9. The "hardened" version verified the signature and certificate of downloaded installers during the update process. On December 27, version 8.9 was released, which dropped the use of a self-signed certificate. The project said: "Only the legitimate certificate issued by GlobalSign is now used to sign Notepad++ release binaries. We strongly recommend that users who previously installed the self-signed root certificate remove it."

Today, in a post titled "Notepad++ Hijacked by State-Sponsored Hackers," Notepad++ confirmed the app had fallen victim to miscreants.

The exact details of the mechanism used in the exploit remain under investigation, but the problem stems from a compromised hosting server and inadequate update verification controls in older versions of the editor. According to a Notepad++:

"Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests."

The incident began in June, according to Notepad++. The shared hosting service was compromised until September 2, and even after losing access, the attackers retained credentials for internal services until December 2. While investigations indicate the attack ended on November 10, Notepad++'s author wrote: "I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated."

Security researcher Kevin Beaumont noted something was afoot on December 2. "I've heard from 3 orgs now who've had security incidents on boxes with Notepad++ installed, where it appears Notepad++ processes have spawned the initial access. These have resulted in hands on keyboard threat actors."

Beaumont said the update mechanism had the potential for tampering, with the potential for a redirection of the download. He also noted, however, that the "activity appears very targeted," with the limited number of victims he spoke to having interests in East Asia.

The Notepad++ author wrote that several independent security researchers reckon the threat actor was likely a Chinese state-sponsored group, "which would explain the highly selective targeting observed during the campaign."

• China-linked group accused of spying on phones of UK prime ministers' aides – for years
• Moscow likely behind wiper attack on Poland's power grid, experts say
• QR codes a powerful new phishing weapon in hands of Pyongyang cyberspies
• Researcher claims Salt Typhoon spies attended Cisco training scheme

Chinese cyberspies have a lengthy track record when it comes to computer and network intrusion. In December, CISA warned that individuals from the country wormed their way into critical US networks, maintaining access for years in some cases.

Beaumont commended Notepad++, saying on Mastodon: "Notepad++ dev did a great job treating issue seriously."

As for Notepad++, the apologies were profuse. The project's website has since moved to a new hosting provider "with significantly strong practices" and the update process has been hardened. "Certificate & signature verification will be enforced starting with upcoming v8.9.2, expected in about one month."

"With these changes and reinforcements, I believe the situation has been fully resolved. Fingers crossed."

The author of Notepad++ got in touch to tell us, "The malicious downloads were typically files named update.exe, updater.exe or AutoUpgrade.exe - none of which are part of the Notepad++ distribution."

However, anybody hoping for a tool to spot signs of infection might be disappointed: "Unfortunately, after a week spent analyzing 400 GB of server logs provided by our former hosting provider, the IR team identified signs of an intrusion, but no IoCs (Indicator of compromise) were found."

As for next steps, the recommendation remains a download and manual install of the latest version: "This will update both Notepad++ & WinGUp (the updater) to the security enhanced version." ®