Notepad++ Update System Compromised to Target Users with Malware
Notepad++, a widely used text editor, has experienced a significant security breach involving its update system. State-sponsored attackers have compromised the update mechanism to redirect users to malicious servers, raising critical concerns for its user base.
Details of the Compromise
Developer Don Ho disclosed that the attack was not due to vulnerabilities within the Notepad++ code itself. Instead, it resulted from compromises made at the hosting provider level. This infrastructure-level breach enabled malicious actors to intercept and redirect traffic intended for notepad-plus-plus.org.
Timeline of Events
The incident began in June 2025 and remained undetected until early 2026. Notably, it followed the release of Notepad++ version 8.8.9, which had addressed a previous issue where traffic from WinGUp, the Notepad++ updater, was being redirected to harmful domains. This flaw allowed attackers to download malicious executables by fooling the updater into retrieving a compromised binary from rogue servers.
Targeted Redirection
Initial reports suggest that the redirection targeted only specific users, leading to the download of harmful components. Security researcher Kevin Beaumont indicated that threat actors based in China exploited this flaw for network hijacking and malware distribution.
Actions Taken Post-Incident
In light of this security breach, Notepad++ has migrated its website and services to a new hosting provider. The former hosting provider revealed that the shared server was compromised until September 2, 2025. Furthermore, even after losing server access, the attackers maintained credentials to internal services until December 2, 2025, which enabled continued malware redirection.
- Incident Commencement: June 2025
- Detection: February 2026
- Server Compromise Duration: Until September 2, 2025
- Continued Credentials Access: Until December 2, 2025
As investigations continue, users are urged to remain vigilant regarding their Notepad++ updates and to ensure they are downloading from the official website to avoid potential malware risks.
