SECURITYWEEK reports that a Notepad++ supply chain incident was conducted by a China-linked threat actor via a hosting provider, targeting only certain Notepad++ customers. The attack appears to have begun in June 2025, with the hosting server compromised until 2 September, after which the system underwent maintenance and kernel/firmware updates.
Credentials obtained by the attackers persisted until 2 December, allowing them to direct traffic destined for Notepad++ update servers to attacker-controlled servers to deliver malware. The compromise occurred at the hosting provider level rather than through Notepad++ code vulnerabilities, and traffic from targeted users was selectively redirected to malicious update manifests.
According to Notepad++ creator Don Ho and security experts, multiple independent researchers assess that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed. Notepad++ has since migrated to a new hosting provider and implemented client-side changes to verify update integrity.