DIGITAL LIFE

Notepad++ confirms hijacked by Chinese state-sponsored hackers

Notepad++ reported that its built-in auto-update feature had been hijacked by Chinese state-sponsored hackers from June to September of 2025, and the credentials gathered by the bas actors enabled further exploits until December 2nd, 2025. In an effort to thwart similar issues moving forward, Notepad++ has moved to a hosting provider "with significantly stronger security practices", which has been in place since Notepad++ version 8.8.9. For users who happened to follow an auto-update prompt or started one through Notepad++ within the vulnerable timeframe though, you'll very much want to scan your system for malware.

For existing Notepad++ users, developers advise manually installing version v.8.9.1, which includes a secured WinGup updater for improved security, instead of auto-updating through your current version. As a Notepad++ user myself, I was able to install the new version of Notepad++ over my old installation without issue, and my system scanned clean before and after doing so. Notepad++ mentions that the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself, but the application still received the aforementioned security upgrades after being moved to a more secure provider in hopes of preventing the recurrence of something similar in the future.

This isn't the only time Notepad++ and its users have been targeted by cybercriminals, but last time it was through "notepad.plus", a "fan" site that was actually used to host malicious advertising and attempt to infect those looking for the legitimate Notepad++. This time the attack was more direct, though the full scale of harm done remains unknown. Similar to recent DarkSpectre stories, it does raise concerns about how existing auto-update infrastructure can be exploited, even against applications that seem or are legitimate. At least Notepad++ was informed of the breach by its old hosting provider and was able to move to a more secure host.

Notepad++, a popular text editor among programmers and technology professionals, was the target of a sophisticated cyberattack that lasted six months. Between June and December 2025, hackers sponsored by the Chinese government managed to hijack the software's update mechanism to distribute malware to specific targets.

The attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for the notepad-plus-plus[.]org website.

Don Ho, creator and maintainer of Notepad++, revealed full details of the incident on Monday. The information was shared after an investigation conducted in collaboration with external security experts and the shared hosting provider that was used at the time.

Highly targeted attack...The compromise occurred at the hosting provider level, not through vulnerabilities in the Notepad++ code itself. The attackers gained access to the shared hosting server and, from there, established the ability to selectively redirect update traffic from specific target users to servers controlled by them.

Instead of compromising all Notepad++ users at once, which would have been quickly detected, the hackers chose specific targets.

Traffic originating only from certain users was routed to malicious servers that delivered components disguised as legitimate updates, while other users continued to receive genuine updates normally.

Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, identified as Violet Typhoon, also known as APT31. This group primarily targeted telecommunications and financial services organizations in East Asia.

How the attack was discovered...Security researcher Kevin Beaumont was the first to report, in early December 2025, that some organizations using Notepad++ were being targeted with malicious software updates.

According to Beaumont, hackers linked to China had exploited Notepad++ to gain initial access to the systems of telecommunications and financial services companies in East Asia.

The discovery prompted Don Ho to quickly release Notepad++ version 8.8.9 to address an issue that resulted in WinGUp traffic, the Notepad++ updater, occasionally being redirected to malicious domains.

Specifically, the problem stemmed from how the updater verified the integrity and authenticity of the downloaded update file, allowing an attacker capable of intercepting network traffic between the updater client and the update server to trick the tool into downloading a different binary.

According to the detailed statement provided by the hosting provider, the shared server where Notepad++ was hosted was compromised until September 2, 2025.

On this date, the server underwent scheduled maintenance where the kernel and firmware were updated. After this update, the suspicious patterns in the logs disappeared, indicating that the attackers lost direct access to the server.

Even though they lost direct access to the server after September 2, the attackers still retained access credentials to the provider's internal services that they had captured during the initial compromise period.

With these credentials, even without directly controlling the server, they were able to continue redirecting some of the traffic destined for the Notepad++ update address to their own malicious servers until December 2, 2025.

The hosting provider confirmed that it found no evidence that other clients on the shared server were targeted.

The attackers specifically searched for the notepad-plus-plus.org domain in order to intercept traffic, demonstrating prior knowledge of existing vulnerabilities in the Notepad++ update verification system.

Remedial measures implemented...To definitively resolve the problem, Don Ho took several concrete steps. First, he migrated the entire Notepad++ website to a new hosting provider with significantly more rigorous security practices.

Next, he enhanced WinGUp in version 8.8.9 to verify both the digital certificate and the signature of the downloaded installer. Digital certificates and signatures are cryptographic mechanisms that ensure that a file actually came from the person who claims to have created it and that it has not been altered.

Furthermore, the XML returned by the update server is now signed using XMLDSig, a digital signature standard for XML documents. Certificate and signature verification will be mandatory starting with the next version 8.9.2, scheduled to be released approximately one month after the announcement.

Supply chain attacks...This incident falls under a category of attacks known as software supply chain attacks. This type of attack does not directly target the program that users use, but rather the infrastructure that distributes updates to that program.

State-sponsored groups, especially from China, North Korea, and Russia, have shown increasing interest in compromising software supply chains as a way to gain access to target organizations.

Instead of attempting to directly infiltrate organizations' networks, attackers find vulnerable points in the supply chain and use this as an initial entry vector.

Don Ho published full details of the investigation and took public responsibility for what happened, even though technically the failure was at the hosting provider.

"I deeply apologize to all users affected by this hijacking," Ho wrote in the official statement. He concluded by saying he believed the situation had been completely resolved with all the changes and security reinforcements implemented, but maintained a humility appropriate for someone who had just dealt with a state-sponsored hacking attack.

Notepad++ users should ensure they are running at least version 8.8.9 of the software, which includes critical security fixes for the update mechanism.

mundophone