Notepad++ Hijacked by State-Sponsored Hackers

Notepad++, the popular text editor used by developers around the world, has been hit by a sophisticated attack on its update system. The news comes after the release of version 8.8.9, which included important security improvements. Notepad++ v8.8.9 announcement.

What Happened

According to security experts, the attack didn’t exploit the Notepad++ software itself. Instead, attackers gained access to the hosting provider that served the update files. This allowed them to selectively redirect update traffic from certain users to servers under their control. The exact technical details are still being investigated, but it’s clear the compromise happened at the hosting level.

The intrusion began in mid-2025. Even after losing direct access to the server, the attackers retained internal credentials for several months, which let them continue redirecting update traffic. Security researchers believe the campaign was likely carried out by a Chinese state-sponsored group, given its precision and selectivity.

What the Hosting Provider Found

After working with the Notepad++ incident-response team, the former hosting provider shared a detailed account of the breach:

  • The compromised server was vulnerable until maintenance updates patched the kernel and firmware, cutting off attackers’ initial access.
  • Despite losing direct access, attackers maintained credentials to internal services, enabling continued interference with update traffic.
  • Only the Notepad++ domain was targeted; no other clients appear to have been affected.
  • The provider completed full remediation, including rotating all credentials and hardening the server to prevent further attacks.

For users, the provider recommended changing passwords for SSH, FTP/SFTP, and databases, as well as reviewing WordPress admin accounts and keeping plugins and themes updated.

Notepad++’s Response

Notepad++ has since moved to a new hosting provider with stronger security measures. In addition:

  • The WinGup updater in v8.8.9 now checks both certificates and digital signatures of downloaded installers.
  • Upcoming v8.9.2 will enforce signed XML manifests (XMLDSig) for updates.
  • Users are encouraged to manually install v8.9.1 for the latest security improvements.

Indicators of Compromise

Despite analyzing roughly 400 GB of server logs, the Notepad++ team hasn’t found concrete indicators of compromise, like malicious IPs or file hashes. Rapid7 has shared a more detailed report with IoCs, which is available publicly.

Final Thoughts

This attack is a stark reminder of the growing risk of supply chain attacks. Even widely used, open-source software can be vulnerable if the infrastructure around it isn’t secure. Notepad++’s team has taken strong steps to fix the issue, but this incident highlights the need for developers and users alike to stay vigilant and verify updates before installing them.