PARIS, February 2, 2026, 20:09 (CET)
- Notepad++ revealed that attackers hijacked update checks, diverting them to malicious servers for months during 2025
- Following stricter update verification, the project pushed users to install the latest versions
- Researchers noted the campaign seemed targeted, impacting just a limited set of victims
Notepad++ revealed on Monday that its software update process was compromised last year, allowing attackers to push malicious downloads to a limited group of users. Researchers have tied the campaign to hackers linked to the Chinese government.
The open-source text editor enjoys broad use on Windows PCs, especially within corporate environments. When software updates are compromised—a supply-chain attack where hackers exploit a trusted distribution channel—it provides a stealthy entry point for attackers into networks.
This disclosure comes as companies clamp down on software integrity and vendor risk. It also drives home a simple truth about hacking today: even a tiny project can turn into a prized target if attackers see an opportunity.
Notepad++ developer Don Ho posted on the project’s website that analysts believe the threat actor is likely a Chinese state-sponsored group, which “would explain the highly selective targeting” in the campaign. He clarified the breach occurred at the infrastructure level, linked to the hosting behind the project’s domain, rather than a compromise of Notepad++ source code itself. (Notepad Plus Plus)
Ho explained the site used shared hosting, and attackers managed to redirect some update requests to their own server, delivering altered “update manifests”—those tiny files that guide updaters to the correct installers. He noted the vulnerability enabling this redirection got patched in November, with the attackers’ access cut off by early December.
Security researcher Kevin Beaumont reported that a handful of organizations were compromised after a malicious version of the software was installed. He called the subsequent activity “hands-on” access by the attackers. Beaumont noted the victims had “interests in East Asia” and flagged that the breach was followed by reconnaissance within the network. (Techcrunch)
Notepad++ has revamped its updater, WinGUp. From version 8.8.9 onward, it verifies installer certificates and signatures, while the update XML gets a cryptographic signature — a digital safeguard designed to make tampering more obvious, the project explained. Ho added that mandatory certificate signature checks will become enforced in version 8.9.2, slated for release in roughly a month.
The project has provided scant details for defenders trying to assess past exposure. Ho told BleepingComputer that while the response team detected signs of intrusion, they found no indicators of compromise (IOCs) — such as file hashes, domains, or IP addresses that security teams use to track malware. “Our IR team and I also requested IOCs directly from the former hosting provider, but we were not successful in obtaining any,” he added. (Bleepingcomputer)
Rapid7 linked a series of intrusions to Lotus Blossom, a Chinese state-backed advanced persistent threat group active for years. The cybersecurity firm uncovered a new backdoor they named Chrysalis. While their forensics couldn’t definitively say if the infections came through the updater or a plugin path, they did notice Notepad++ and its updater running just before a suspicious “update.exe” launched. (Rapid7)
Notepad++ announced it switched to a new hosting provider, updated credentials, and strengthened client-side checks to ensure the updater verifies downloads. Ho noted that logs revealed the attacker tried to exploit a patched vulnerability again, but the attempt was unsuccessful.
The full extent of the damage is still unknown. Ho hasn’t revealed how many users got malicious updates or how many devices were affected. Without any IOCs, organizations may have to rely on internal logs and endpoint telemetry to figure out if they were hit.
Since high-profile supply-chain attacks like SolarWinds, hijacking software updates has turned into a go-to method for state-backed hackers. Here, the target was specific, but it highlights just how fast a common tool can be weaponized once attackers seize control of the update process.
