Notepad++ update feature hijacked by Chinese state hackers for months

Chinese State Hackers Hijack Notepad++ Updates for Months in Targeted Cyber Espionage Campaign

In a shocking revelation that has sent ripples through the cybersecurity community, popular text editor Notepad++ has confirmed that its update system was compromised by suspected Chinese state-sponsored hackers for nearly half a year. The breach, which began in June 2025, allowed attackers to intercept update requests and serve malicious payloads to a select group of users, raising serious concerns about supply chain security and the vulnerabilities lurking in widely-used software tools.

Notepad++, a free and open-source text and source code editor with tens of millions of users worldwide, disclosed the incident in an official announcement today. According to the developer, the attackers exploited a critical security gap in the software’s update verification controls, enabling them to hijack update traffic and redirect specific users to their own infrastructure.

The breach was first detected in December 2025, when Notepad++ released version 8.8.9 to address the security flaw. However, the developer now reveals that the attack had been ongoing for months, with the attackers maintaining access even after temporary disruptions. The incident highlights the sophistication and persistence of state-sponsored cyber operations, as well as the challenges of securing software supply chains.

How the Attack Unfolded

The attackers began their campaign in June 2025 by compromising a hosting provider responsible for Notepad++’s update application. This allowed them to intercept and selectively redirect update requests from certain users to malicious servers. The attackers exploited insufficient update verification controls in older versions of Notepad++, serving tampered update manifests that could have delivered malware to unsuspecting victims.

Security researcher Kevin Beaumont had previously warned that at least three organizations were affected by these update hijacks, which were followed by hands-on reconnaissance activity on their networks. This suggests that the attackers were not only interested in delivering malware but also in gathering intelligence and potentially expanding their foothold within targeted organizations.

The breach was not continuous, however. In early September 2025, the attackers temporarily lost access when the server’s kernel and firmware were updated. But they quickly regained control by using previously obtained internal service credentials that had not been changed. This persistence underscores the importance of regular credential rotation and robust access controls in preventing prolonged breaches.

The hosting provider finally detected the breach and terminated the attacker’s access on December 2, 2025. By then, the attackers had maintained access for nearly six months, during which they could have exfiltrated sensitive data, installed backdoors, or conducted further reconnaissance.

The Scope and Targeting of the Attack

Notepad++ emphasized that the attack was highly selective, targeting specific users rather than launching a broad, indiscriminate campaign. Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the narrow targeting observed during the campaign.

The attackers specifically focused on the Notepad++ domain, exploiting the update verification vulnerabilities to deliver their malicious payloads. This level of precision suggests that the attackers had specific objectives, possibly related to espionage or intellectual property theft, rather than a desire to cause widespread disruption.

Steps Taken to Mitigate the Threat

In response to the breach, Notepad++ has taken several critical steps to secure its platform and protect its users. The developer has migrated all clients to a new hosting provider with stronger security measures, rotated all credentials that could have been stolen by the attackers, and fixed the exploited vulnerabilities. Additionally, the team has thoroughly analyzed logs to confirm that the malicious activity has stopped.

Starting with version 8.8.9, Notepad++’s WinGup update tool now verifies installer certificates and signatures, and the update XML is cryptographically signed. The developer also plans to enforce mandatory certificate signature verification in version 8.9.2, which is expected to be released in about a month. These measures significantly enhance the security of the update process and make it much harder for attackers to compromise the system in the future.

What Users Should Do

Notepad++ has urged its users to take immediate action to strengthen their security. The developer recommends the following steps:

• Change credentials for SSH, FTP/SFTP, and MySQL.
• Review WordPress admin accounts, reset passwords, and remove unnecessary users.
• Update WordPress core, plugins, and themes, and enable automatic updates if applicable.

These measures are designed to mitigate the risk of further compromise and ensure that users’ systems remain secure.

The Broader Implications

The Notepad++ breach is a stark reminder of the vulnerabilities that exist in software supply chains and the potential for state-sponsored actors to exploit them. Supply chain attacks have become an increasingly popular tactic among cybercriminals and nation-state actors, as they allow attackers to compromise multiple targets through a single point of entry.

The incident also highlights the importance of robust security practices, such as regular credential rotation, cryptographic signing of updates, and thorough log analysis. Organizations and developers must remain vigilant and proactive in identifying and addressing potential vulnerabilities before they can be exploited.

Conclusion

The Notepad++ breach is a wake-up call for the tech industry and users alike. It underscores the need for continuous improvement in cybersecurity practices and the importance of staying ahead of increasingly sophisticated threat actors. As Notepad++ works to secure its platform and prevent future incidents, users must also take responsibility for their own security by following best practices and staying informed about potential threats.

In a world where software is integral to nearly every aspect of our lives, the stakes have never been higher. The Notepad++ incident serves as a sobering reminder that even the most trusted tools can be compromised, and that vigilance and proactive security measures are essential in safeguarding our digital lives.

Tags & Viral Phrases:
Notepad++ hacked, Chinese state hackers, supply chain attack, cybersecurity breach, update hijacking, state-sponsored espionage, software vulnerability, WinGup update tool, malicious updates, targeted cyber attack, Notepad++ security flaw, Kevin Beaumont warning, cyber espionage campaign, software supply chain, Notepad++ incident, update verification controls, cryptographic signing, credential rotation, WordPress security, IT infrastructure security, nation-state hackers, software compromise, digital security, cybersecurity best practices, threat actor, malicious payload, hands-on reconnaissance, hosting provider breach, software update hijacking, Notepad++ users affected, cyber threat landscape, software security, update traffic interception, targeted attack, Chinese hackers, Notepad++ breach details, cybersecurity incident, software vulnerability exploited, update system compromise, Notepad++ security update, cyber attack prevention, software supply chain security, Notepad++ users warned, cybersecurity measures, software update security, Notepad++ vulnerability fix, cyber attack response, software security practices, Notepad++ security patch, cyber threat mitigation, software update verification, Notepad++ security breach, cyber attack analysis, software security enhancement, Notepad++ incident response, cyber attack investigation, software security update, Notepad++ user protection, cyber attack prevention measures, software security protocols, Notepad++ security measures, cyber attack detection, software security improvements, Notepad++ user guidance, cyber attack resolution, software security standards, Notepad++ security recommendations, cyber attack aftermath, software security compliance, Notepad++ security advisory, cyber attack lessons learned, software security awareness, Notepad++ security best practices, cyber attack impact, software security framework, Notepad++ security roadmap, cyber attack trends, software security evolution, Notepad++ security strategy, cyber attack preparedness, software security innovation, Notepad++ security future, cyber attack resilience, software security transformation, Notepad++ security commitment, cyber attack readiness, software security leadership, Notepad++ security vision, cyber attack defense, software security excellence, Notepad++ security mission, cyber attack protection, software security expertise, Notepad++ security goals, cyber attack mitigation, software security solutions, Notepad++ security achievements, cyber attack management, software security insights, Notepad++ security progress, cyber attack monitoring, software security trends, Notepad++ security updates, cyber attack intelligence, software security research, Notepad++ security collaboration, cyber attack collaboration, software security community, Notepad++ security partnership, cyber attack partnership, software security alliance, Notepad++ security alliance, cyber attack alliance, software security network, Notepad++ security network, cyber attack network, software security ecosystem, Notepad++ security ecosystem, cyber attack ecosystem, software security innovation, Notepad++ security innovation, cyber attack innovation, software security transformation, Notepad++ security transformation, cyber attack transformation, software security leadership, Notepad++ security leadership, cyber attack leadership, software security excellence, Notepad++ security excellence, cyber attack excellence, software security mission, Notepad++ security mission, cyber attack mission, software security vision, Notepad++ security vision, cyber attack vision, software security goals, Notepad++ security goals, cyber attack goals, software security achievements, Notepad++ security achievements, cyber attack achievements, software security progress, Notepad++ security progress, cyber attack progress, software security updates, Notepad++ security updates, cyber attack updates, software security insights, Notepad++ security insights, cyber attack insights, software security research, Notepad++ security research, cyber attack research, software security collaboration, Notepad++ security collaboration, cyber attack collaboration, software security partnership, Notepad++ security partnership, cyber attack partnership, software security alliance, Notepad++ security alliance, cyber attack alliance, software security network, Notepad++ security network, cyber attack network, software security ecosystem, Notepad++ security ecosystem, cyber attack ecosystem.

,