Pierluigi Paganini
February 02, 2026
The Notepad++ maintainer revealed that nation-state hackers compromised the hosting provider’s infrastructure, redirecting update traffic to malicious servers. The attack did not exploit flaws in Notepad++ code but intercepted updates before they reached users.
“According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org.” reads the advisory published by the software maintainers. “The exact technical mechanism remains under investigation, though the compromise occured at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests.”
The incident began in June 2025 and was linked by multiple researchers to a likely Chinese state-sponsored group, based on its highly selective targeting. Attackers compromised a shared hosting server until September 2, 2025, and later used stolen internal credentials to redirect Notepad++ update traffic to malicious servers until December 2.
The hosting provider moved all affected customers to a new server, fixed the vulnerabilities that were abused, and rotated all credentials that may have been exposed.
After completing these actions, the provider reviewed system logs and confirmed there was no evidence of continued attacker access or malicious activity.
The security expert found the attack ended on November 10, 2025, while the hosting provider reported possible attacker access until December 2. Combining both assessments, the compromise likely lasted from June to December 2, 2025.
The maintainers apologized to affected users and moved the Notepad++ site to a more secure hosting provider. The updater was strengthened to verify installer certificates and signatures, with signed update data and stricter checks fully enforced in the upcoming v8.9.2 release.
“The security exper’s analysis indicates the attack ceased on November 10, 2025, while the hosting provider’s statement shows potential attacker access until December 2, 2025.” concludes the advsory. “Based on both assessment, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Notepad++)
