Notepad++ update servers hijacked in suspected state-sponsored campaign

Notepad++ maintainers disclosed that attackers intercepted and redirected update traffic for the popular text editor, in what the project called an infrastructure-level compromise that began in June 2025 and persisted in limited form through December. The developer, Don Ho, said, “The attack involved [an] infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org.”

The project published an update on Feb. 2, 2026, describing a compromise at the hosting-provider level rather than a breach of Notepad++ source code or public repositories. Notepad++ said the shared hosting server was compromised until Sept. 2, 2025, and that attackers continued to hold credentials for internal services until Dec. 2, 2025, allowing some update requests to be redirected to attacker-controlled servers even after direct server access was lost.

The hijack exploited the updater known as WinGUp and targeted update delivery rather than the application code. Maintainers and outside analysts said attackers returned tampered update manifests and, in some cases, poisoned executables to a narrow subset of users. Notepad++ acknowledged that older versions of its updater had insufficient verification controls, and that an on-path interceptor able to divert traffic could trick those clients into downloading malicious binaries. As Don Ho cautioned, “The exact mechanism through which this was realized is currently being investigated.”

To harden delivery, Notepad++ rolled out changes to the updater in recent releases. Version 8.8.9 introduced both certificate verification and signature checks on downloaded installers and the update XML is now signed using XMLDSig. Project maintainers plan to enforce certificate and signature verification in an upcoming v8.9.2. The team recommended immediate action for users: “I recommend downloading v8.9.1 (which includes the relevant security enhancement) and running the installer to update your Notepad++ manually.”

Notepad++ also said it migrated its site to a new hosting provider with stronger operational practices and implemented additional guardrails in the update process. The project emphasized there is no evidence that attackers altered the Notepad++ source code or breached public code repositories.

Multiple independent security researchers assessed the actor was likely a Chinese state-sponsored group, a pattern the maintainers said would explain the campaign’s highly selective targeting. Some analysts have pointed to the group known as Zirconium, also called Violet Typhoon, and to targeting that focused on telecommunications and financial services organizations in East Asia. As one researcher noted, “Because traffic to notepad-plus-plus.org is fairly rare, it may be possible to sit inside the ISP chain and redirect to a different download,” adding, “To do this at any kind of scale requires a lot of resources.”

The incident underscores a persistent risk in software supply chains: even when source code is intact, attackers who can control hosting or routing can subvert distribution and deliver malware to carefully chosen victims. Notepad++’s fixes restore stronger cryptographic checks on updates, but the project and outside researchers say detailed forensic work remains to determine precisely how the interception was achieved and how many users were affected.