The official update infrastructure of Notepad++ was compromised in a highly targeted cyber operation, resulting in malware being delivered to select users. The project’s lead developer, Don Ho, confirmed that the incident was caused by a hosting level breach rather than a flaw in the Notepad++ source code itself.
According to Ho, attackers gained control at the infrastructure layer, allowing them to intercept legitimate update requests and silently reroute them to malicious servers. This manipulation caused affected users to unknowingly download tampered update files instead of authentic releases.
Investigations into the exact technical method used to carry out the redirection are still ongoing. However, early findings indicate that the compromise did not originate from vulnerabilities within the application’s codebase.
The disclosure follows the release of Notepad++ version 8.8.9, which addressed irregular behavior in WinGUp, the built in update utility. Prior to the fix, some update requests were sporadically redirected to hostile domains, leading to the download of poisoned executables.
The root cause was traced to weaknesses in how the updater validated the authenticity and integrity of downloaded files. This gap allowed attackers capable of intercepting network traffic to substitute legitimate binaries with malicious ones.
Security analysts believe the operation was not widespread but carefully targeted. Only traffic from specific users was diverted, suggesting a selective attack strategy. Evidence indicates that the malicious activity began in June 2025, remaining undetected for more than six months.
Independent researcher Kevin Beaumont reported that the vulnerability was exploited by China based threat actors to infiltrate networks and trick victims into installing malware. The campaign has been linked to a nation state group known as Violet Typhoon, also referred to as APT31. Targeted sectors reportedly included telecommunications and financial services organizations across East Asia.
In response, the Notepad++ team migrated the official website to a new hosting provider with stronger security controls. Additional protections were also added to the update mechanism to prevent similar integrity bypass attempts in the future.
Ho further revealed that the former hosting environment had been compromised until September 2, 2025. Even after access to the server was revoked, attackers retained credentials to internal systems until December 2, 2025, enabling continued redirection of update traffic.
The incident highlights the growing risk of supply chain attacks, especially those leveraging trusted software update channels to distribute malware covertly.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
