NOTEPAD ++’s updater was hijacked by nation-state attackers who compromised the hosting provider’s infrastructure to redirect update traffic to attacker-controlled servers, rather than exploiting flaws in the Notepad++ code itself. The campaign began in June 2025, with attackers compromising a shared hosting server and continuing until at least 2 December 2025, according to the advisory published by the software maintainers and corroborated by researchers.
The attack involved intercepting and rerouting update manifests for targeted users, with the security assessment describing the compromise as occurring at the hosting provider level rather than within Notepad++’s code. Researchers linked the activity to a likely Chinese state-sponsored group, based on the highly selective targeting, and the incident ended with the hosting provider moving customers to a new server and rotating credentials.
The updater has since been strengthened to verify installer certificates and signatures, with stricter checks planned for the upcoming v8.9.2 release. The security expert’s analysis notes the attack ceased on 10 November 2025, while the hosting provider’s position cites possible attacker access until 2 December 2025.