NOTEPAD ++ went through a months-long supply chain compromise when state-sponsored actors hijacked its update infrastructure, targeting a subset of users while leaving most unaffected. The breach ran from June 2025 until 2 December 2025, and attackers gained access at the level of the shared hosting provider to silently intercept traffic destined for the official site and reroute it to servers under their control.
The attackers exploited insufficient update verification controls in older Notepad++ versions before the hosting provider evicted them. Independent researchers involved in the investigation have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign.
In response, Notepad++ migrated to a new hosting provider and overhauled its update mechanism, WinGup, to version 8.8.9, with added verification of certificates and signatures and the introduction of XMLDSig signing for update instructions. Users are advised to update to version 8.8.9 or later to benefit from these protections.