Notepad++ Update Server Compromised in Targeted Malware Attack via Official Updater Mechanism

Author: Qoo Media

The official update mechanism of Notepad++, a widely used text editor, has been compromised by state-sponsored attackers to deliver malware to select users. The attack targeted the infrastructure supporting the update process, intercepting and redirecting legitimate update requests to malicious servers.

Notepad++ developer Don Ho explained that the breach occurred at the hosting provider level, not due to vulnerabilities in the Notepad++ software itself. This allowed the attackers to manipulate traffic destined for notepad-plus-plus.org and serve malicious payloads during the update process.

The incident reportedly began in June 2025 and remained undetected for over six months. During this period, malicious actors exploited weaknesses in the updater’s verification method to trick clients into downloading harmful executables rather than authentic updates. This flaw was specifically linked to WinGUp, Notepad++’s updater utility.

Security investigations revealed that only targeted users had their update traffic redirected, indicating a highly selective and covert campaign. The attackers maintained control over internal services and credentials long after losing full server access in early September 2025. This persistence enabled ongoing redirection of update requests to rogue servers up until December 2025.

Renowned security researcher Kevin Beaumont identified that the threat actors involved were linked to China and utilized this vector to infiltrate networks and compromise user systems. In response, Notepad++ promptly migrated its website and update infrastructure to a new, more secure hosting provider.

Key points about the attack include:

1. The update redirection stemmed from an infrastructure-level compromise at the hosting provider.
2. The updater’s insufficient validation of downloaded files enabled substitution with malicious binaries.
3. Attackers retained access to internal credentials even after the primary system compromise was resolved.
4. The malicious update distribution was highly targeted rather than widespread.
5. The breach lasted approximately six months before detection and response.
6. Migration to a new hosting environment has been executed to mitigate further risk.

This incident underscores the importance of robust security measures beyond application code, including the critical infrastructure and supply chain that distribute software updates. Ensuring cryptographic validation of update files and vigilant monitoring of update traffic can help prevent such sophisticated supply chain attacks.

Notepad++ continues to investigate the details of the compromise to strengthen defenses and protect its user base from future threats. Users are advised to remain cautious with update prompts and ensure their software sources are trusted and verified.

Read more at: thehackernews.com
Latest