State-Sponsored Actors Hijack Notepad++ Update for
A likely Chinese state-sponsored threat actor compromised Notepad++’s former shared hosting infrastructure between June and December 2025 in a targeted attack, the project’s developer has...
A likely Chinese state-sponsored threat actor compromised Notepad++’s former shared hosting infrastructure between June and December 2025 in a targeted attack, the project’s developer has confirmed.
The breach allowed attackers to intercept and selectively redirect update traffic to malicious servers, exploiting a weakness in how the software validated update packages before the release of version 8.8.9.
Infrastructure-Level Hijacking
According to the forensic analysis conducted by independent security experts and the former hosting provider, the compromise occurred at the infrastructure level rather than through a vulnerability in the Notepad++ codebase itself. The attackers gained access to the shared hosting server, allowing them to intercept requests destined for notepad-plus-plus.org.
The attack specifically targeted the getDownloadUrl.php script used by the application’s updater. By controlling this endpoint, the threat actors could selectively redirect specific users to attacker-controlled servers hosting malicious binaries.
These malicious payloads were served instead of the legitimate update, leveraging the fact that older versions of the updater (WinGUp) did not strictly enforce certificate and signature validation for downloaded installers.
Multiple independent security researchers have assessed that the campaign was likely conducted by a Chinese state-sponsored group. The targeting was described as “highly selective,” focusing on specific users rather than a broad supply-chain infection.
The compromise spanned approximately six months, with the hosting provider identifying two distinct phases of unauthorized access:
| Date | Event Description |
|---|---|
| June 2025 | Initial Compromise: Attackers gain access to the shared hosting server. |
| September 2, 2025 | Server Access Lost: A scheduled maintenance update (kernel/firmware) by the provider severed the attackers’ direct server access. |
| Sept 2 – Dec 2, 2025 | Credential Persistence: Attackers maintained access via stolen internal service credentials, allowing continued traffic redirection despite losing server control. |
| November 10, 2025 | Attack Ceased (Estimate): Security experts note the active attack campaign appeared to halt around this date. |
| December 2, 2025 | Access Terminated: Hosting provider rotated all credentials and completed security hardening, definitively blocking the attackers. |
| December 9, 2025 | Mitigation Released: Notepad++ v8.8.9 released with hardened update verification. |
The hosting provider confirmed that no other clients on the shared server were targeted; the attackers specifically hunted for the Notepad++ domain. In response to the incident, the Notepad++ website has been migrated to a new provider with enhanced security protocols.
To prevent similar hijacking attempts, Notepad++ version 8.8.9 introduced strict validation within WinGUp, requiring both a valid digital signature and a matching certificate for any downloaded installer. If these verifications fail, the update process is now automatically aborted.
Looking ahead, the project is implementing the XMLDSig (XML Digital Signature) standard for update manifests. This reinforcement will ensure that the XML data returned by the update server is cryptographically signed, preventing tampering with the download URLs. This feature is scheduled for enforcement in version 8.9.2, expected to be released within the next month.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.