The maintainer of Notepad++ has revealed a significant security incident where state-sponsored attackers hijacked the utility's official update mechanism. This sophisticated breach allowed malicious actors to redirect update traffic to rogue servers instead of the official site. Developer Don Ho clarified that the issue wasn't a flaw in the Notepad++ code itself but an infrastructure-level compromise at the hosting provider level. The attack specifically targeted certain users, routing them to malicious domains to fetch poisoned executables. This redirection was made possible by vulnerabilities in how the WinGUp updater verified file integrity, a flaw that was supposedly addressed in a recent patch released in late 2025. The incident dates back as far as June 2025, showing how long the threat actors maintained access to internal services even after losing initial server access. Following the breach, Notepad++ has migrated to a new hosting provider to secure its distribution chain and protect its global user base from further exploitation.
