NOTEPAD ++’s update infrastructure was compromised for six months, allowing attackers to intercept and redirect update traffic to deliver backdoored versions to selected targets, according to the developer post and subsequent advisories. The incident began last June with an infrastructure‑level compromise, and Notepad++ did not regain control of its infrastructure until December, with credentials reportedly remaining on internal services until December 2.
The attackers are described as being tied by multiple investigators to the Chinese government, a claim described as such in the report and by those familiar with the case; the article notes the activity involved targeting Notepad++ domains to exploit weak update verification in older versions.
Independent researcher Kevin Beaumont said three organisations reported security incidents where Notepad++ installations saw hands‑on‑keyboard activity, implying direct control via a web interface, and he cautioned that search results contain trojanised Notepad++ extensions.
The guidance to users emphasises upgrading to the official version 8.8.8[.]8 or higher installed manually from notepad-plus-plus[.]org, and larger organisations are advised to block access to the update domain or the gup[.]exe process unless they have robust monitoring in place.