Notepad++ Update Mechanism Hijacked by State-Sponsored Hackers in Six-Month Campaign
A sophisticated six-month cyberattack targeting Notepad++'s update infrastructure affected telecoms and financial firms across East Asia.
Introduction
If you are a Notepad++ user, you should know that it was compromised in a supply chain attack attributed to Chinese state-sponsored actors. From June to December 2025, attackers targeted its automatic update mechanism to distribute malware to selected organizations.
What Happened?
Threat actors accessed the server hosting the update endpoint and redirected traffic from specific organizations across East Asia. The attack exploited a critical flaw in Notepad++'s updater that did not verify the authenticity of update files. Multiple users received malicious software disguised as authentic Notepad++ installers.
According to the Notepad++ team, the hosting provider's server remained compromised until September 2, 2025, though attackers retained some level of access until December 2, 2025, when all malicious access was definitively terminated.
The Impact
The compromise represents a textbook supply-chain attack in which adversaries infiltrated trusted software infrastructure rather than targeting individual victims directly. While the exact number of affected users remains undisclosed, the incident specifically impacted organizations in critical sectors—telecommunications companies and financial institutions that handle sensitive data and communications infrastructure.
Affected organizations unknowingly ran malware, letting attackers access networks. They then manually worked within systems to establish control and seek valuable data.
The sophistication and resource investment required for this attack—maintaining compromised infrastructure for six months, performing selective traffic interception at the ISP or hosting level, and targeting specific high-value organizations—suggests nation-state backing rather than financially motivated cybercriminals.
The incident has shaken confidence in software update mechanisms, a critical trust boundary that users and organizations depend on for maintaining secure, up-to-date systems. When legitimate update channels become attack vectors, traditional security advice to "keep software updated" creates vulnerability rather than protection.
How to Avoid This
Notepad++ has released version 8.8.9 with critical security enhancements and migrated to a new hosting provider with stronger security practices. Users should take these immediate actions:
Update Notepad++ now by downloading version 8.8.9 or a later release directly from the official website, notepad-plus-plus.org. The latest version checks all downloaded installers for valid digital signatures and certificates and automatically blocks any update that is unsigned or incorrectly signed.
Verify Your Installation: Check your current Notepad++ version by navigating to Help → About. If you updated between June and December 2025, audit your system for indicators of compromise. Look for unexpected processes spawned by notepad++.exe or gup.exe, suspicious files in your %TEMP% directory (particularly AutoUpdater.exe or update.exe), and unusual network connections to file-sharing services.
Remove Old Root Certificates: Notepad++ now uses legitimate GlobalSign certificates. Users who previously installed custom Notepad++ root certificates should remove them to reduce unnecessary trust anchors in their systems.
Download Only from Official Sources: Always obtain Notepad++ exclusively from notepad-plus-plus.org. Third-party download mirrors, even well-intentioned ones, introduce supply chain risk.
Implement Defense-in-Depth: Organizations should deploy endpoint detection and response (EDR) solutions that monitor application behavior for anomalies. Even trusted software shouldn't spawn reconnaissance tools or make unexpected network connections. Network segmentation, application whitelisting, and behavioral analytics can detect compromised update mechanisms before attackers establish persistent access.
Monitor Update Traffic: Security teams should log and analyze update traffic patterns. Sudden redirects, unexpected download sources, or installers lacking proper code-signing certificates warrant immediate investigation.
The Notepad++ incident underscores that software supply chains remain attractive targets for sophisticated adversaries. Organizations must treat automatic updates as untrusted network traffic requiring the same scrutiny as any external connection—because in modern cyber warfare, even trusted tools can become weapons.
