Notepad++, a popular text editor, has come forward about a sophisticated supply chain attack that took place on its update system for about six months, from June to December 2025. This is a serious security breach that has happened to widely used open-source software in a while.
This was not just a website hack or a vulnerability in the code. It has been found that the attackers were able to compromise Notepad++’s shared hosting provider at an infrastructure level. This helped them to intercept and redirect the update traffic only meant for notepad-plus-plus.org to the attacker-controlled servers, which then provided the malicious update manifest in place of the actual software update.
What is particularly worrisome about this attack is that it was carried out with such precision. Instead of compromising all users, the attackers chose to target certain individuals.
Several independent security researchers have determined that the threat actor is likely to be a Chinese state-sponsored actor, which would account for the level of selectivity seen in this attack. The hosting provider has verified that the bad actors specifically searched for the Notepad++ domain with the intent of exploiting the lack of update verification controls that were present in older versions of the software.
How the Notepad++ Attack Unfolded
Analysis of the timeline of the compromise shows a complex and multi-step attack. The shared hosting server was compromised at some point around June 2025.
Notably, a maintenance update on September 2, 2025, which covered kernel and firmware updates, seems to have removed the attackers from the server.
However, they had already gained access to the credentials of the internal services, enabling them to retain their capacity to redirect traffic to the malicious servers until December 2, 2025.
This meant that the attackers, who had lost access to the server, could continue their activities for the next three months. They retained their capacity to intercept traffic destined for the Notepad++ update URL and redirect it to the attacker-controlled infrastructure that hosted the compromised software packages.
The investigation by the hosting service showed that no other client was affected on the same shared hosting server, which emphasizes the targeted nature of the attack on Notepad++. The attackers were observed to have attempted to re-exploit vulnerabilities even after patches were applied, although these attempts failed.
The Response and Remediation
After the breach was identified and understood, rapid remediation efforts were initiated on various fronts. The hosting company has since rotated all credentials that may have been affected and applied patches to ensure that such breaches are not repeated in the future. All security remediation and hardening efforts were completed by December 2, 2025, and were successful in mitigating any further malicious activity.
In addition to the remediation efforts initiated by the hosting company, major changes have been initiated within the Notepad++ application. The update component of the Notepad++ application, WinGup, has received major security updates in version 8.8.9. These updates include the verification of both the certificate and the signature of downloaded installers. Furthermore, the XML data received from the update server is now digitally signed using XMLDSig, with certificate and signature verification to be enforced starting with the upcoming version 8.9.2.
Notepad++ has since moved its website to a new hosting company with much-improved security practices, abandoning the shared hosting environment that was compromised.
Results of Incident Response and Required Actions for Notepad++ Infrastructure
Dear Customer,
We want to further update you following the previous communication with us about your server compromise and further investigation with your incident response team.
We discovered the suspicious events in our logs, which indicate that the server (where your application https://notepad-plus-plus.org/update/getDownloadUrl.php was hosted until the 1st of December, 2025) could have been compromised.
As a precautionary measure, we immediately transferred all clients’ web hosting subscriptions from this server to a new server and continued our further investigation.
Here are the key finding points:
- The shared hosting server in question was compromised until the 2nd of September, 2025. On this particular date, the server had scheduled maintenance where the kernel and firmware were updated. After this date, we could not identify any similar patterns in logs, and this indicates that bad actors have lost access to the server. We also find no evidence of similar patterns on any other shared hosting servers.
- Even though the bad actors have lost access to the server from the 2nd of September, 2025, they maintained the credentials of our internal services existing on that server until the 2nd of December, which could have allowed the malicious actors to redirect some of the traffic going to https://notepad-plus-plus.org/getDownloadUrl.php to their own servers and return the updates download URL with compromised updates.
- Based on our logs, we see no other clients hosted on this particular server being targeted. The bad actors specifically searched for https://notepad-plus-plus.org/ domain with the goal to intercept the traffic to your website, as they might know the then-existing Notepad++ vulnerabilities related to insufficient update verification controls.
- After concluding our research, the investigated security findings were no longer observed in the web hosting systems from the 2nd of December, 2025, and onwards, as:
We have fixed vulnerabilities, which could have been used to target Notepad++. In particular, we do have logs indicating that the bad actor tried to re-exploit one of the fixed vulnerabilities; however, the attempt did not succeed after the fix was implemented.
We have rotated all the credentials that bad actors could have obtained until the 2nd of September, 2025.
We have checked the logs for similar patterns in all web hosting servers and couldn’t find any evidence of systems being compromised, exploited in a similar way, or data breached.
While we have rotated all the secrets on our end, below you will find the preventive actions you should take to maximize your security. However, if the following actions have been done after the 2nd of December, 2025, no actions are needed from your side.
Change credentials for SSH, FTP/SFTP, and MySQL database.
Review administrator accounts for your WordPress sites (if you have any), change their passwords, and remove unnecessary users.
Update your WordPress sites (if you have any) plugins, themes, and core version, and turn on automatic updates, if applicable.
We appreciate your cooperation and understanding. Please let us know if you have any questions.
What Users Should Do
This incident is a sobering reminder of the level of threats that open-source software projects are now facing and the need for high-quality security practices to be in place throughout the entire software supply chain, from code development through to hosting infrastructure and software update mechanisms.
