Notepad++, the popular open-source text editor, was compromised by a sophisticated hacking group believed to be backed by the Chinese state. The breach, which lasted from June to December 2025, involved the interception and redirection of update traffic to malicious servers, potentially exposing users to compromised software.
The incident came to light following the release of Notepad++ v8.8.9, which included a security disclosure and prompted a deeper investigation in collaboration with external security experts and the software’s former shared hosting provider.
Infrastructure-Level Compromise
According to the analysis, the attack was not the result of a vulnerability in Notepad++’s code, but rather an infrastructure-level compromise at the hosting provider. Attackers were able to intercept and selectively redirect traffic intended for notepad-plus-plus.org, specifically targeting users who requested updates. These users were redirected to attacker-controlled servers that served malicious update manifests.
The hosting provider’s investigation revealed that the shared server hosting Notepad++’s update infrastructure was compromised until September 2, 2025. However, even after losing direct access to the server, the attackers retained credentials for internal services until December 2, 2025, allowing them to continue redirecting update traffic.
Targeted Attack with State-Sponsored Indicators
Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group. The highly selective targeting of Notepad++ users, combined with the attackers’ knowledge of existing vulnerabilities in the software’s update verification process, points to a sophisticated and well-resourced adversary.
Hosting Provider’s Response
In a detailed statement, the hosting provider outlined the timeline and remediation steps:
- The server was compromised until September 2, 2025, when scheduled maintenance and updates likely disrupted the attackers’ access.
- Despite losing server access, attackers retained credentials for internal services until December 2, 2025, enabling continued redirection of update traffic.
- The attackers specifically targeted the Notepad++ domain, indicating prior knowledge of the software’s update verification weaknesses.
- All vulnerabilities were patched, credentials rotated, and no other clients on the same server were targeted.
- By December 2, 2025, all signs of attacker activity had ceased.
Remediation and Future Protections
In response to the breach, the Notepad++ team has taken several steps to harden security:
- The Notepad++ website and update infrastructure have been migrated to a new hosting provider with stronger security practices.
- The WinGup updater, used by Notepad++, now verifies both the certificate and signature of downloaded installers (starting with v8.8.9).
- The XML update manifest is now digitally signed (XMLDSig), with signature and certificate verification enforced in the upcoming v8.9.2 release, expected in about one month.
Timeline and Impact
While the hosting provider’s logs suggest attacker access until December 2, 2025, security experts believe the active attack phase ended on November 10, 2025. The overall compromise period is estimated to have spanned from June through December 2, 2025.
The Notepad++ project lead has issued a public apology to affected users and emphasized that the situation is now fully resolved with the new security measures in place.
Source: Notepad++
