The popular text editor Notepad++ has confirmed what security researchers feared: Chinese state-sponsored hackers successfully hijacked its update mechanism for half a year, turning routine software updates into a malware delivery pipeline for select targets.
Maintainer Don Ho revealed today that attackers compromised the hosting infrastructure starting in June 2025, selectively redirecting update requests from specific users to malicious servers. The revelation follows December's emergency release of version 8.8.9, which patched critical weaknesses in how the updater verified software authenticity.
The compromise didn't exploit flaws in Notepad++'s code itself. Instead, attackers breached the shared hosting server that powered notepad-plus-plus.org, gaining the ability to intercept update traffic at the infrastructure level.
When targeted users ran the built-in WinGUp updater, their requests were quietly rerouted to attacker-controlled servers distributing trojanized installers.
"The exact technical mechanism remains under investigation, though the compromise occurred at the hosting provider level," Ho stated in today's security disclosure.
The attackers demonstrated surgical precision. Rather than carpet-bombing all Notepad++ users with malware, they cherry-picked victims—primarily telecommunications and financial services organisations in East Asia.
Security researcher Kevin Beaumont, who first raised red flags in early December, reported that compromised systems showed signs of hands-on-keyboard reconnaissance, with attackers enumerating network connections and exfiltrating system details.
Multiple independent researchers have attributed the campaign to Chinese state-sponsored actors, likely the group tracked as Violet Typhoon (APT31), based on the highly selective targeting and the resources required to intercept rare update traffic at the ISP level.
According to the hosting provider's forensic investigation, attackers initially compromised the shared server until September 2, 2025, when scheduled maintenance temporarily locked them out. But they'd already stolen credentials to internal services—allowing them to keep redirecting traffic until December 2, even without direct server access.
The provider confirmed attackers "specifically searched for the notepad-plus-plus.org domain to intercept traffic, as they might know the then-existing Notepad++ vulnerabilities related to insufficient update verification controls."
Beaumont's December analysis proved prescient: "Because traffic to notepad-plus-plus.org is fairly rare, it may be possible to sit inside the ISP chain and redirect to a different download. To do this at any kind of scale requires a lot of resources."
Before version 8.8.8 (released November 2025), Notepad++'s updater lacked critical hardening. It didn't restrict download sources and failed to properly verify installer signatures and certificates. This created an opening: if attackers could position themselves between the updater and the legitimate server, they could substitute malicious binaries that would execute without resistance.
This wasn't Notepad++'s first brush with installer vulnerabilities. Earlier in 2025, researchers disclosed CVE-2025-49144, a privilege escalation flaw in version 8.8.1 that allowed attackers to plant malicious executables during installation. That vulnerability, stemming from insecure search path handling, could grant SYSTEM-level privileges to attackers who tricked users into downloading compromised files alongside the legitimate installer.
Ho has migrated notepad-plus-plus.org to a new hosting provider with enhanced security architecture. Version 8.8.9, released December 9, introduced mandatory certificate and signature verification—the updater now aborts if presented with unsigned or improperly signed installers. Version 8.9.2, expected within a month, will enforce XMLDSig signing for all update metadata.
"I deeply apologise to all users affected by this hijacking," Ho wrote. "I recommend downloading v8.9.1 and running the installer to update your Notepad++ manually."
For organisations running Notepad++ at scale, security experts recommend immediate action: update to version 8.8.9 or later, audit systems for suspicious gup.exe network activity beyond official domains, and consider blocking the updater process from internet access in managed environments where automated updates aren't needed.