Notepad++ says Chinese hackers breached its update system
What's the story
Notepad++, a popular text and source code editor, has revealed that its update system was hijacked in a targeted cyberattack. The breach, which is believed to have been carried out by state-sponsored Chinese hackers, redirected certain users to malicious servers. The company has since contained the breach by implementing stricter security checks and update protections.
Methodology
Breach lasted for several months
The attackers behind the Notepad++ breach are said to have hijacked the software's update mechanism for several months last year. They intercepted and selectively redirected update requests, sending certain users to malicious servers with altered update information. The attack is believed to have started in June 2025 and continued until early December, according to BleepingComputer.
Targeted approach
Attack highly selective, only certain systems affected
Unlike a typical cyber attack that targets all users, this one was highly selective. Security experts working on the case said only certain systems were affected, not the entire Notepad++ user base. This selective targeting and the sophistication of the attack have led multiple independent analysts to believe it was likely carried out by a Chinese government-aligned group.
Exploitation
Selective attack exploited vulnerabilities in update tool
The attackers are said to have exploited vulnerabilities in older versions of Notepad++'s WinGUp update tool, which did not have enough verification checks for update files. Logs from the hosting provider suggest that the server supporting Notepad++'s update application may have been compromised. This allowed the attackers to manipulate traffic and deliver malicious update manifests.
Persistence
Notepad++ has moved to a new hosting provider
The unauthorized access continued until December 2, 2025, when the hosting provider detected suspicious activity and terminated the connection. In response to this attack, Notepad++ has moved its infrastructure to a new hosting provider with stronger safeguards. The team has also rotated potentially exposed credentials, patched vulnerabilities, and reviewed logs to confirm that the malicious activity has ceased.
Security measures
Update to fix issues with WinGUp updater
Notepad++ has released version 8.8.9 in December to fix issues with the WinGUp updater. From this version onward, installer certificates and signatures are verified, and update XML files are cryptographically signed. A further change is expected in version 8.9.2, which will make certificate signature verification for updates mandatory.