Notepad++ update service hijacked in targeted state-linked attack

Popular text editor Notepad++ fell victim to a months-long compromise of its update infrastructure, with attackers selectively targeting users with interests in East Asia.

Notepad++ has confirmed that its update service was compromised by state-sponsored hackers in a sophisticated attack that lasted for months in 2025. The incident, which affected the popular text editor used by millions of developers worldwide, involved attackers redirecting traffic from targeted users to malicious update manifests hosted on attacker-controlled servers.

The timeline of compromise

The attack began in June 2025 when attackers gained access to Notepad++'s shared hosting service. This initial compromise lasted until September 2, during which time the attackers established persistent access to internal services. Even after losing direct access to the hosting environment, the attackers retained credentials for internal systems until December 2, 2025.

Notepad++'s author estimates that the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated. However, security researcher Kevin Beaumont noted suspicious activity as early as December 2, when he heard from multiple organizations that had experienced security incidents involving Notepad++ processes spawning initial access for hands-on-keyboard threat actors.

Technical details of the attack

The attackers exploited weaknesses in Notepad++'s update verification controls in older versions of the editor. The exact mechanism remains under investigation, but the core issue involved a compromised hosting server and inadequate update verification controls. Traffic from certain targeted users was selectively redirected to attacker-controlled servers serving malicious update manifests.

In response to the breach, Notepad++ released version 8.8.9 on December 9, which included hardened verification of signatures and certificates during the update process. This was followed by version 8.9 on December 27, which dropped the use of a self-signed certificate entirely. The project now only uses legitimate certificates issued by GlobalSign to sign release binaries.

Targeted nature of the attack

What makes this compromise particularly concerning is its highly selective targeting. According to Beaumont, the activity appeared very targeted, with the limited number of victims he spoke to having interests in East Asia. This selective approach suggests the attackers were pursuing specific objectives rather than conducting a broad compromise.

Several independent security researchers believe the threat actor was likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign. This assessment aligns with China's documented history of computer and network intrusion activities, including recent warnings from CISA about Chinese actors maintaining access to critical US networks for years in some cases.

Response and remediation

Notepad++ has taken several steps to address the compromise and prevent future incidents:

• Moved to a new hosting provider with significantly stronger security practices
• Hardened the update process with certificate and signature verification
• Released updated versions with improved security controls
• Recommended users remove previously installed self-signed root certificates

The project has stated that certificate and signature verification will be enforced starting with upcoming version 8.9.2, expected in about one month. Notepad++'s author expressed confidence that the situation has been fully resolved, though the cautious "fingers crossed" suggests awareness of the ongoing risks in software supply chain security.

Impact on users

Users of affected Notepad++ versions should take immediate action:

1. Check for and remove any previously installed Notepad++ root certificates
2. Manually download and install the latest release from the official website
3. Ensure automatic updates are enabled to receive security patches
4. Monitor for any unusual system behavior that might indicate compromise

Security researcher Kevin Beaumont commended Notepad++ for its response, noting on Mastodon that the development team "did a great job treating issue seriously." This positive assessment of the response stands in contrast to the severity of the compromise itself.

Broader implications

The Notepad++ compromise highlights the ongoing challenges in software supply chain security. Even well-established projects with large user bases can fall victim to sophisticated attacks targeting their infrastructure. The selective nature of this attack, combined with the extended timeline of the compromise, demonstrates the patience and resources available to state-sponsored threat actors.

This incident joins a growing list of high-profile software supply chain attacks, including those targeting SolarWinds, Log4Shell vulnerabilities, and various package manager compromises. Each incident reinforces the need for robust security practices throughout the software development and distribution lifecycle.

As organizations increasingly rely on open-source and third-party software components, the security of these dependencies becomes critical. The Notepad++ incident serves as a reminder that even seemingly simple tools can become vectors for sophisticated attacks when their update mechanisms are compromised.

The targeted nature of this attack, focusing on users with interests in East Asia, also underscores how software supply chain compromises can be used for intelligence gathering and targeted surveillance. This represents a significant escalation from opportunistic attacks to carefully planned operations with specific geopolitical objectives.

For developers and organizations using Notepad++, the incident emphasizes the importance of staying current with security updates and being vigilant about the software supply chain. While Notepad++ has taken appropriate steps to address this specific compromise, the broader challenge of securing software distribution channels remains an ongoing concern for the entire technology industry.