Notepad++ has revealed that its software update process was secretly compromised for several months in a targeted cyber operation believed to be linked to Chinese state-backed hackers. During the incident, a small number of users were redirected to malicious servers. The issue has since been resolved, and additional security safeguards have been implemented.
According to reports, the developer behind Notepad++ discovered that its update infrastructure had been quietly manipulated last year. Evidence suggests the activity was carried out by a government-aligned Chinese threat group.
As reported by BleepingComputer, the attackers intercepted update requests and selectively rerouted certain users to harmful servers, serving altered update data. The intrusion is thought to have started in June 2025 and continued until early December.
Highly targeted attack
Instead of launching a widespread campaign, the attackers reportedly focused on specific individuals or organisations. Investigators said only a limited number of systems were affected, indicating deliberate and precise targeting.
Security analysts involved in the investigation noted that the operation’s narrow scope and technical complexity strongly suggest the involvement of a state-sponsored actor. Several independent researchers have linked the activity to a China-aligned hacking group.
The attackers are believed to have taken advantage of security gaps in older versions of Notepad++’s WinGUp update utility, which lacked robust verification mechanisms for update files.
Possible hosting provider breach
Logs from the hosting provider reportedly show signs that the server used by the Notepad++ updater was compromised. This may have allowed the attackers to alter traffic and distribute malicious update instructions.
The attack appeared to pause briefly in early September after server firmware and kernel updates were applied. However, the threat actors allegedly regained access using internal service credentials that had not been changed.
The unauthorised access continued until December 2, 2025, when suspicious activity was detected and the hosting provider shut down the connection.
Security improvements implemented
Following the incident, Notepad++ moved its infrastructure to a new hosting environment with enhanced security controls. The development team also rotated exposed credentials, fixed vulnerabilities and conducted a full log review to ensure the attack had been neutralised.
In December, Notepad++ released version 8.8.9, which addressed weaknesses in the WinGUp updater. From that version onward, update files and installer certificates are verified, and update configuration files are cryptographically signed.
An additional update planned for version 8.9.2 will make certificate signature verification mandatory for all updates.
Users advised to stay vigilant
Although the attack appears to have affected only a limited number of users, Notepad++ recommends taking precautionary measures. These include changing SSH, FTP/SFTP and database credentials, auditing WordPress admin accounts, removing unused users and enabling automatic updates for software, plugins and themes.
Security researcher Kevin Beaumont previously noted that at least three organisations experienced follow-up surveillance activity after being impacted by the compromised update system.
