The “Update” Trap: How State-Sponsored Hackers Hijacked Notepad++ Infrastructure for 6 Months

The lead developer of the ubiquitous text editor Notepad++ has disclosed a formidable security breach that compromised the application’s update mechanism. State-sponsored adversaries successfully intercepted the update verification process, clandestinely rerouting users toward malicious infrastructure rather than the official repository.

Don Ho, the project’s progenitor, elucidated that the incursion did not stem from an inherent flaw within the application’s source code. Instead, a catastrophic compromise occurred at the hosting provider level, empowering attackers to hijack and divert network traffic destined for the notepad-plus-plus.org domain. The precise technical orchestration of this redirection remains under active investigation.

Approximately one month prior, the release of Notepad++ version 8.8.9 sought to rectify a vulnerability within the WinGUp update module. It was discovered that under specific conditions, the module would facilitate connections to nefarious domains, potentially downloading fraudulent binaries. The root cause lay in the verification protocols for integrity and authenticity; should an antagonist manage to intercept the network bridge between the client and the server, they could substitute legitimate updates with malicious executable content.

Current assessments suggest that the traffic diversion was surgical and selective, affecting only a specific subset of the user base. These targeted requests were siphoned off to surrogate servers, which then served malicious components. Evidence indicates the campaign commenced as early as June 2025, remaining veiled for over six months.

Independent security researcher Kevin Beaumont corroborated that the exploit was weaponized by threat actors originating from China. This vector allowed them to commandeer network sessions and coerce victims into installing sophisticated malware. Following the discovery of the breach, the Notepad++ web presence was migrated to a more resilient hosting provider.

The developer further clarified that, according to the previous provider, the shared hosting environment remained compromised until September 2, 2025. Paradoxically, even after losing direct server access, the assailants retained administrative credentials for internal services until December 2, 2025. This persistent foothold enabled them to continue redirecting software update queries to malicious endpoints for an extended duration.