Administrators of Notepad++ have revealed that state-sponsored attackers have hijacked the utility’s update mechanism and instead redirected update traffic to a malicious server.
“This attack [an] “This resulted in an infrastructure-level compromise that allowed a malicious attacker to intercept and redirect update traffic destined for notepad-plus-plus.org. This compromise occurred at the hosting provider level, rather than through a vulnerability in the Notepad++ code itself,” said developer Don Ho.
The exact mechanism by which this was achieved is currently under investigation, Ho added.
The development comes a little more than a month after Notepad++ released version 8.8.9 to address an issue where traffic from WinGUp, a Notepad++ updater, was “occasionally” redirected to malicious domains and downloaded tainted executables.
Specifically, the issue stemmed from the way the updater verified the integrity and authenticity of downloaded update files, allowing an attacker who was able to intercept network traffic between the updater client and the update server to trick the tool into downloading a different binary instead.
It is believed that this redirect was highly targeted, with traffic originating only from a specific user being routed to a rogue server to retrieve the malicious component. The incident is estimated to have begun in June 2025, more than half a year before it was discovered.
Independent security researcher Kevin Beaumont revealed that this flaw was being exploited by Chinese attackers to hijack networks and trick targets into downloading malware. In response to a security incident, the Notepad++ website has been migrated to a new hosting provider.
“According to the former hosting provider, the shared hosting server was compromised until September 2, 2025,” Ho explained. “Even after losing access to the server, the attackers retained credentials to internal services until December 2, 2025, allowing them to continue redirecting Notepad++ update traffic to the malicious server.”
Source link
