Notepad++ Updates Hijacked in State-Sponsored Attack, Developers Respond

Notepad++ users were caught in a sophisticated attack as state-sponsored hackers hijacked the utility’s update system, redirecting traffic to malicious servers. The news comes from developer Don Ho, who confirmed that the breach occurred at the hosting provider level rather than through vulnerabilities in Notepad++ itself.

Malicious update redirection hits Notepad++, Chinese hackers suspected

Ho explained that attackers compromised the infrastructure behind the update process, allowing them to intercept traffic destined for notepad-plus-plus.org and push malicious executables to targeted users. The exact method of the hijack is still under investigation, but early reports suggest a highly selective approach, affecting only specific users in telecommunications and financial services across East Asia.

The security flaw relates to WinGUp, Notepad++’s built-in updater, and its verification process. Attackers exploited the way the updater checked the integrity and authenticity of downloaded files, effectively tricking it into installing poisoned binaries.

In response, Ho’s team has moved the official website to a new hosting provider with stricter security protocols and reinforced the update process with additional safeguards. “According to the former hosting provider, the shared server was compromised until September 2, 2025,” Ho said. “Even after losing access, attackers maintained credentials until December 2, 2025, enabling them to continue redirecting update traffic to malicious servers.”

Independent researcher Kevin Beaumont linked these attacks to a Chinese nation-state group known as Violet Typhoon, also called APT31 (via The Hacker News). The campaign is believed to have begun in June 2025, months before it was discovered publicly. The incident follows Notepad++ version 8.8.9, released last month to address earlier redirect issues.

The breach hints at the risks inherent in software supply chains and highlights the growing capabilities of state-sponsored cyber actors. For now, Notepad++ users are urged to make sure that their updates are sourced directly from the official website and that they remain vigilant while the investigation continues. Moreover the developer also noted to download v8.9.1, which apparently includes the relevant security enhancement.

Article feature image source: Notepad++