Notepad++ hit by Chinese state-sponsored group, injecting malware into updates

Published: 2 February 2026
Last updated: 3 February 2026
notepad-plus-plus-compromise
Image by Cybernews.

For months, hackers abused hijacked Notepad++ update infrastructure to infect selected users with malicious packages. The investigation reveals a massive hosting-level compromise and a likely Chinese state-sponsored group involvement.

Key takeaways:
  • Chinese state-sponsored hackers compromised Notepad++ update infrastructure at the hosting provider level, not through vulnerabilities in the app's code itself.
  • The espionage campaign ran from June to December 2025, with attackers selectively targeting specific users through redirected malicious update manifests.
  • Notepad++ has migrated to a new hosting provider and enhanced its updater to verify both certificates and signatures of downloaded installers.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

Notepad++ is a popular text and source code editor. Cybernews earlier reported on hackers hijacking the app’s update infrastructure to push compromised executables to some users.

ADVERTISEMENT

A new report by the creator and maintainer, Don Ho, unveils that the breach occurred “at the hosting provider level rather than through vulnerabilities in Notepad++ code itself.”

“Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests,” Notepad++ explains in the new advisory.

Attackers were highly selective when targeting the users. The espionage campaign lasted for months, with attackers having access from June through December 2nd, 2025.

The hackers first compromised the shared hosting server used by many clients, including Notepad++, to deliver updates. The attackers lost access to it on September 2nd, 2025, when the server’s kernel was updated during scheduled maintenance.

However, the attackers maintained credentials to the hosting provider’s internal services on that server and were able to continue malicious activity for a few more months.

“Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group,” Ho noted.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us
ADVERTISEMENT

“The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.”

Notepad++ creator said it has migrated to a new hosting provider “with significantly stronger security practices.”

The updater (WinGup) was also enhanced in v8.8.9 to verify both the certificate and the signature of the downloaded installer.

The conversation on this topic is live. Join in the discussion.

Moreover, Ho plans to introduce an additional security measure with an upcoming v8.9.2, expected in about one month.

“The XML returned by the update server is now signed (XMLDSig), and the certificate and signature verification will be enforced,” Ho explained.

“I deeply apologize to all users affected by this hijacking.”

Notepad++ did not disclose which hosting provider’s infrastructure was compromised during the incident. According to the letter shared by Ho, the company claims to have fixed vulnerabilities and rotated all the credentials that the hackers could have obtained.

Has my data been leaked?
Check Now
ADVERTISEMENT

“We have checked the logs for similar patterns in all web hosting servers and couldn’t find any evidence of systems being compromised, exploited in a similar way, or data breached,” the hosting provider said in a letter.

The exact technical mechanism used by attackers to intercept and redirect update traffic destined for the app also remains under investigation.

Is Notepad++ safe to use after the hack?

Yes, Notepad++ is safe to use if you update to version 8.8.9 or later. The developer has migrated to a new, more secure hosting provider and patched WinGup to enforce strict digital certificate and signature verification.

Was the Notepad++ source code compromised?

No. The breach occurred at the hosting provider level, not within the Notepad++ application code itself.

Who was targeted in the Notepad++ attack?

Security researchers noted the attack was highly selective, meaning the malware was deployed against specific high-value targets. Most likely developers or organizations with access to sensitive intellectual property, rather than a mass infection of all users.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Nigel Farage and Andrew Bailey's “bizarre AI video” is more dangerous than you might think
Data from 35M OkCupid users leaked online, hackers claim everyone’s exposed
A giant Instagram phone number database just surfaced. Should you be worried?
Apple overhauls Siri in late push to stay in AI race
US says major Chinese tech giants like Alibaba are supporting China’s military
NASA astronauts set to wear Prada on future Moon missions
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked