THE Notepad++ project says state-sponsored attackers hijacked the update mechanism to redirect update traffic to malicious servers, affecting select users. According to Notepad++ maintainer Don Ho, the attack involved an infrastructure‑level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus[.]org.
He added that the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code, and that the exact mechanism is still under investigation. The incident follows an earlier issue disclosed in December 2025, when Notepad++ had addressed a problem causing WinGUp updater traffic to be redirected to malicious domains, leading to poisoned downloads.
Beaumont revealed that Chinese threat actors were observed exploiting the flaw to hijack networks and mislead targets into downloading malware, and the Notepad++ site has since migrated to a new hosting provider. The former hosting provider said the shared server was compromised until 2 September 2025, with attackers retaining credentials to internal services until 2 December 2025 to continue redirecting traffic.