Notepad++ hijacked by suspected state-sponsored hackers

Steven

Notepad++ hijacked by suspected state-sponsored hackers

Summary

A software update mechanism for the popular text editor Notepad++ was hijacked by suspected Chinese state-sponsored actors. The compromise targeted the infrastructure that delivers updates — an “on-path” interception that redirected some users to malicious update servers — rather than the editor’s source code. The incident ran from June to December 2025. Notepad++ has migrated its update hosting and released hardening changes in version 8.9.1; users are urged to upgrade as a precaution.

Key Points

  • The attackers intercepted and redirected update traffic destined for notepad-plus-plus.org, compromising the update delivery chain rather than the application code.
  • The campaign used selective, on-path redirection affecting only a subset of users rather than a broad, mass deployment.
  • The activity began in June 2025 and continued until December 2025, mirroring tactics seen in past incidents such as the ASUS ShadowHammer campaign.
  • Multiple independent researchers assessed the activity as likely linked to a Chinese state-sponsored threat actor, based on infrastructure and operational patterns.
  • Notepad++ moved its update infrastructure to a new hosting provider and added security controls in v8.9.1; immediate upgrading is recommended for users.

Context and Relevance

This incident underlines the growing danger to software supply chains: even well-established, open-source projects can be attacked without tampering with source code. On-path or infrastructure-level compromises are harder to detect and may leave limited forensic traces, particularly when targeting is narrow and precise. For organisations and developers, it highlights the need to monitor update channels and adopt layered verification for software updates.

Why should I read this

If you use Notepad++ or care about supply-chain security, this is one to skim now. The update channel — not the app — was hijacked, and attackers were picky about who they hit. We’ve saved you time: upgrade if you haven’t, check your update integrity practices, and note the pattern for future investigations.

Source

Source: https://therecord.media/popular-text-editor-hijacked-by-suspected-state-sponsored-hackers