Notepad++, the world’s most popular and widely used text editor, has recently confirmed that state-sponsored attackers hijacked its update mechanism. According to the project’s maintainer, Don Ho, attackers compromised the software’s shared hosting infrastructure, allowing them to reroute the update traffic to malicious servers.
Attack Exploited Weaknesses in Update Verification
The attack did not exploit vulnerabilities in Notepad++'s source code. Instead, bad actors exploited weaknesses in the WinGUp updater, which previously lacked robust certificate and signature verification. Thus, attackers were able to intercept network traffic and deliver malicious executables impersonated as legitimate updates to specific targets.
In December 2025, security researcher Kevin Beaumont was among the very first to flag suspicious activity, reporting incidents across several organizations in which Notepad++ processes were observed providing initial access to attackers. “The activity was highly selective and showed clear signs of hands-on-keyboard operations,” Beaumont said, adding that affected organizations had strategic interests in East Asia.
The author of Notepad++ wrote, several independent researchers now analyze the campaign to be linked to a Chinese state-sponsored threat group, mainly tracked as Violet Typhoon (APT31). The attackers-maintained access even after losing control of the hosting server, gaining credentials that allowed traffic redirection until December 2, 2025.
Security Enhancements After the Breach
Following the attack, Notepad++ migrated to a new hosting provider, hardened its updates and infrastructure, and dropped the need for self-signed certificates. Beginning with version 8.9.2, certificate and signature verification will be strictly applicable. This incident depicts how even trusted developer tools can become high-value targets,” Ho said, focusing on the fact that supply chain security remains a primary challenge.
Organizations are advised to manually install the latest version and track all suspicious activity, while avoiding overreaction, given the attack’s highly risky nature.
Stay tuned with us for more such trending news around the tech landscape!
Recommended For You:
