Notepad++ has disclosed that its software update system was covertly hijacked for nearly six months in an attack attributed by multiple independent researchers to a likely Chinese state‑sponsored threat group.

According to the project’s developer, the attackers intercepted update requests and selectively redirected certain users to malicious servers. By exploiting weaknesses in older versions of Notepad++’s update‑verification process, the threat actors were able to deliver tampered update manifests to a narrow set of targets.

The hosting provider responsible for serving Notepad++ updates reported that server logs showed a compromise of the update application itself. External security specialists assisting with the investigation determined that the intrusion began in June 2025.

Highly Targeted Attack Pattern

Notepad++’s announcement notes that only specific users were redirected to the attacker’s infrastructure, a level of precision that aligns with assessments from several security researchers pointing to a state‑sponsored Chinese threat actor.

The attackers focused on vulnerabilities in the WinGUp update tool used by older Notepad++ versions. In December, the project released version 8.8.9 to address a flaw that allowed malicious update packages to be delivered in place of legitimate ones.

Security researcher Kevin Beaumont previously warned that at least three organizations had been affected by these hijacked updates, which were followed by hands‑on reconnaissance inside their networks.

Timeline of the Breach

The developer’s investigation outlines the following sequence:

  • June 2025: Attackers compromise a hosting provider used by Notepad++, enabling targeted redirection of update traffic.
  • Early September: A kernel and firmware update temporarily cuts off the attackers’ access.
  • Shortly after: The threat actor regains access using internal service credentials that had not been rotated.
  • December 2, 2025: The hosting provider detects the breach and fully removes the attackers.

Remediation and Strengthened Security

Following the incident, Notepad++ migrated to a new hosting provider with stronger security controls, rotated all potentially exposed credentials, patched exploited vulnerabilities, and reviewed logs to confirm the malicious activity had ceased.

The hosting provider also issued recommended actions, including:

  • Resetting SSH, FTP/SFTP, and MySQL credentials
  • Reviewing and cleaning up WordPress admin accounts
  • Updating WordPress core, plugins, and themes, with automatic updates enabled where possible

Starting with version 8.8.9, WinGUp now verifies installer certificates and signatures, and update XML files are cryptographically signed. The developer plans to introduce mandatory certificate‑signature enforcement in version 8.9.2, expected within the next month.

By Published On: February 9th, 2026

Share This Story, Choose Your Platform!

Related Posts

Exchange Online flagging legitimate emails as phishing

Exchange Online flagging legitimate emails as phishing

February 9th, 2026|0 Comments
Windows 11 gets native Sysmon monitoring

Windows 11 gets native Sysmon monitoring

February 5th, 2026|0 Comments