· Cybersecurity  · 2 min read

Notepad Update Mechanism Hijacked for Malware

The maintainer of Notepad++ has revealed a significant security incident where state-sponsored attackers hijacked the utility's official update mechanism. This sophisticated breach allowed malicious actors to redirect update traffic to rogue servers instead of the official site. Developer Don Ho clarified that the issue wasn't a flaw in the Notepad++ code itself but an infrastructure-level compromise at the hosting provider level. The attack specifically targeted certain users, routing them to malicious domains to fetch poisoned executables. This redirection was made possible by vulnerabilities in how the WinGUp updater verified file integrity, a flaw that was supposedly addressed in a recent patch released in late 2025. The incident dates back as far as June 2025, showing how long the threat actors maintained access to internal services even after losing initial server access. Following the breach, Notepad++ has migrated to a new hosting provider to secure its distribution chain and protect its global user base from further exploitation.

The maintainer of Notepad++ has revealed that state-sponsored attackers hijacked the utility’s update mechanism to redirect update traffic to malicious servers instead.

“The attack involved [an] infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org,” developer Don Ho said. “The compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself.”

The exact mechanism through which this was realized is currently being investigated, Ho added.

A Targeted Supply Chain Attack

This development comes a little over a month after Notepad++ released version 8.8.9 to address an issue where traffic from WinGUp, the Notepad++ updater, was being “occasionally” redirected to malicious domains. These redirections resulted in the download of poisoned executables.

Now, here’s the thing: the problem stemmed specifically from the way the updater verified the integrity and authenticity of the downloaded update file. This allowed an attacker capable of intercepting network traffic between the updater client and the update server to trick the tool into downloading a different binary instead.

It is believed this redirection was highly targeted. Traffic originating from only certain users was routed to the rogue servers to fetch malicious components, while other users received legitimate updates.

Timeline of the Breach

The incident is assessed to have commenced in June 2025, more than six months before it fully came to light.

Independent security researcher Kevin Beaumont revealed that the flaw was being exploited by threat actors in China to hijack networks and deceive targets into downloading malware. In response to the security incident, the Notepad++ website has since been migrated to a new hosting provider to prevent further tampering.

“According to the former hosting provider, the shared hosting server was compromised until September 2, 2025,” Ho explained. “Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers.”

Protecting the Distribution Chain

The migration to a new provider marks a significant step in securing the popular text editor’s distribution chain. However, the fact that attackers held onto internal credentials for months after the initial server breach highlights the persistence of modern state-sponsored threats.

Users are encouraged to ensure they are running the latest version of Notepad++ and to verify the digital signatures of their installations to ensure they haven’t been caught in the crosshairs of this targeted campaign.

Share this post

Share Tweet Send Share Email
Newsletter Signup

News Feed

Get the Hottest Cybersecurity News Delivered to You!

Related News

Discover more news articles that might interest you

View All →
ClickFix Malware Uses Fake CAPTCHAs for Infections

ClickFix Malware Uses Fake CAPTCHAs for Infections

AI-Driven TikTok Scam Uses Fake Shops to Spread Malware

AI-Driven TikTok Scam Uses Fake Shops to Spread Malware

Hackers Plant Covert Malware in Major Telecom Networks

Hackers Plant Covert Malware in Major Telecom Networks

Nomani Investment Scam Surges With AI Deepfakes

Nomani Investment Scam Surges With AI Deepfakes

UAT-7237 Targets Taiwan Servers with Custom Hacking Tools

UAT-7237 Targets Taiwan Servers with Custom Hacking Tools

Win-DDoS Flaws Turn Domain Controllers into Botnets

Win-DDoS Flaws Turn Domain Controllers into Botnets