02.02.2026
2 min
509
The infrastructure that feeds the official updates to the very popular text editor Notepad++ was compromised in an attack on the infrastructure level. A state sponsored group of threat actors intercepted traffic related to updates and rerouted select users to the malicious servers and therefore the users downloaded poisoned executables.
According to Notepad++’s developer Don Ho, the attackers did not exploit vulnerabilities in the source code of the Notepad++ application; instead the attackers compromised the hosting provider and were able to intercept and alter update traffic to notepad-plus-plus.org.
The exploitation also involved the updater WinGUp which is used by Notepad++. Because the checks performed for integrity and authentication were too weak, the attackers were able to fool the client into accepting the malicious binaries. The redirection of users to malicious sites was very targeted and affected only certain users and not all users of Notepad++.
Kevin Beaumont, a well known security researcher indicated the campaign came from China. It is believed the attackers gained access to internal hosting service through the end of December 2025, long after they lost server side access.
Notepad++ is one of the world’s most commonly used open-source text editors. This incident has illustrated a typical example of a “supply chain” attack, which is where attackers compromise the third party infrastructure (such as a hosting provider) that supplies the software (in this case, Notepad++) rather than the software itself. After the initial discovery of the incident, the developers have moved to a new hosting provider and continue their investigation.
This incident illustrates the risks associated with trusted software becoming an attack vector when the infrastructure for delivering updates to the software is compromised. Users should always only download updates from official sources and pay close attention to security advisories issued by the Notepad++ development team.
