The Notepad++ development team disclosed that its update infrastructure was compromised between June 2025 and early December 2025, according to a recent announcement on its official site. External security experts collaborated on the investigation, determining the attack involved an infrastructure compromise at the shared hosting provider level rather than a direct vulnerability in the Notepad++ source code.
Analysis suggests the threat actor selectively redirected update traffic for targeted users to attacker-controlled manifests, exploiting what were reportedly insufficient update verification controls in older versions of the software. Multiple independent researchers have attributed the highly selective nature of the campaign to a Chinese state-sponsored group.
The former hosting provider confirmed that the specific shared server hosting notepad-plus-plus.org was compromised until September 2, 2025, when kernel and firmware updates seemingly cut off direct access. However, the attackers maintained credentials for internal services until December 2, 2025, enabling continued traffic redirection.
To resolve the incident, the developer facilitated communication between the incident response team and the provider, leading to a full remediation by December 2, 2025. The developer has since migrated the website to a new hosting provider featuring significantly enhanced security protocols.
Crucially, the Notepad++ updater, WinGup, received enhancements in version 8.8.9 to verify both the certificate and the signature of the downloaded installer. Furthermore, the update XML returned by the server is now signed using XMLDSig, with enforcement scheduled for the upcoming version 8.9.2 release.
While the developer initially lacked concrete Indicators of Compromise (IoCs) after analyzing 400 GB of logs, subsequent reports from Rapid7 and Kaspersky provided more tangible technical details regarding the supply chain attack. The developer strongly advises users to manually update to version 8.9.1 to immediately benefit from the enhanced security measures.
This incident underscores the persistent threat of supply chain attacks targeting widely used open-source utilities, even when the core application code remains unexploited. The rapid response and subsequent hardening of the update mechanism serve as a critical case study in post-compromise mitigation for widely deployed software.
