State-sponsored attackers hijacked Notepad++’s update mechanism to redirect updater traffic to malicious servers and maintained access to internal credentials until December 2 2025, the maintainer said in a security advisory from Notepad++.
KEY FACTS
- Incident Update mechanism hijacked to serve malicious binaries
- Cause Compromise at the hosting provider level rather than a flaw in application code
- Timeline Activity began in June 2025 and credentials persisted until December 2 2025
- Scope Redirection appears highly targeted to a subset of users
The intrusion at the hosting provider level allowed attackers to intercept and redirect update requests destined for notepad-plus-plus.org.
The updater WinGUp verified the integrity and authenticity of downloaded files in a way that could be abused by an attacker able to intercept network traffic, enabling delivery of a different binary to the client.
The redirection was highly targeted, with only some users routed to rogue servers that delivered malicious components. Evidence points to exploitation beginning in June 2025.
The project website has been migrated to a new hosting provider. The exact mechanism used to perform the interception remains under investigation and the full scope of affected users is unknown.
WHY IT MATTERS
Control of an update channel allows attackers to deliver malicious software while using a legitimate distribution path. Administrators and users should treat updates carefully and verify downloads from trusted sources.