Notepad++ update service hijacked in targeted state-linked attack

Steven

Notepad++ update service hijacked in targeted state-linked attack

Summary

Notepad++’s update infrastructure was compromised in 2025 by a likely state-sponsored actor, who selectively redirected some users to attacker-controlled update manifests. The project’s author says the breach began in June, with attacker access persisting in stages until 2 December 2025. Notepad++ has since moved hosting providers and hardened its updater: signature and certificate checks are now enforced and the project has dropped the use of a self-signed root certificate in favour of a GlobalSign-issued certificate.

Key Points

  • The compromise started in June 2025 and the project estimates attacker access lasted until 2 December 2025.
  • Attackers hijacked the update chain by redirecting traffic from certain targeted users to malicious update manifests on attacker-controlled servers.
  • Activity appears highly selective and targeted; independent researchers point to a China-linked state actor as the likely culprit.
  • Notepad++ has enforced certificate and signature verification (starting v8.8.9 hardening) and replaced its self-signed root with a GlobalSign certificate; further enforcement expected in v8.9.2.
  • No clear IoCs were found after analysing hundreds of gigabytes of logs; malicious files were typically named update.exe, updater.exe or AutoUpgrade.exe (none are part of legit Notepad++ distributions).
  • Users are advised to manually download and install the latest Notepad++ to update both the app and the hardened updater, and to remove any previously installed self-signed root certificate.

Content summary

The Notepad++ author revealed that a shared hosting provider was breached, which allowed attackers to selectively redirect update requests for a subset of users to malicious installers. While the hosting compromise was resolved by early September, the attackers retained credentials to internal services until December, prolonging the effective compromise period.

Security researcher reports flagged unusual incidents where Notepad++ processes appeared to spawn initial access on affected machines; those incidents were few and seemed focused on targets with interests in East Asia. The project’s response included changing hosting providers, removing reliance on a self-signed root certificate, and enforcing stronger certificate/signature checks in the updater. The project recommends users manually install the latest release to ensure they have the secure updater.

Context and relevance

This is a textbook supply-chain/update-chain attack: compromise the distribution or update mechanism and you can deliver bespoke malware to selected victims without exploiting the application directly. Such attacks are favoured by advanced persistent threat (APT) groups because they allow stealthy, targeted intrusions.

For organisations and security teams, the incident underlines two consistent lessons: (1) treat update infrastructure as high-risk and protect it accordingly, and (2) enforce cryptographic verification of updates (signed binaries, trusted PKI) so redirection or hosting compromises cannot be abused. The lack of concrete IoCs makes detection harder and elevates the importance of preventative controls and telemetry on update activity.

Why should I read this?

Because if you run Notepad++ (or manage endpoints), this isn’t just a patch-note — it’s a reminder that even tiny, ubiquitous tools can be a stealthy attack vector. Quick read: check your installs, ditch any dodgy self-signed certs, and manually update to the fixed release. Saves you a messy incident later.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/02/02/notepad_plusplus_intrusion/