Notepad++ Update Servers Compromised: Users Redirected to Malicious Sites
In a recent cybersecurity incident, the widely-used text editor Notepad++ fell victim to a sophisticated attack that compromised its update servers. Between June and December 2025, attackers infiltrated the project’s shared hosting infrastructure, enabling them to intercept and redirect update requests to malicious servers. This breach exploited vulnerabilities in the software’s update validation process, particularly affecting versions prior to 8.8.9.
Details of the Breach
Forensic analyses by independent security experts and the former hosting provider revealed that the attackers gained access at the infrastructure level, rather than through the Notepad++ codebase. By compromising the shared hosting server, they could intercept requests directed to `notepad-plus-plus.org`. The primary target was the `getDownloadUrl.php` script, which the application’s updater uses to fetch download URLs. By controlling this endpoint, the attackers selectively redirected certain users to servers under their control, serving malicious binaries instead of legitimate updates.
This method was particularly effective because older versions of the updater, known as WinGUp, did not rigorously enforce certificate and signature validation for downloaded installers. This oversight allowed the malicious payloads to be delivered and executed without raising immediate alarms.
Attribution and Timeline
Multiple independent security researchers have attributed this campaign to a likely Chinese state-sponsored group. The attack was highly selective, focusing on specific users rather than executing a broad supply-chain infection.
The timeline of the compromise is as follows:
– June 2025: Attackers initially gained access to the shared hosting server.
– September 2, 2025: A scheduled maintenance update by the hosting provider inadvertently severed the attackers’ direct access to the server.
– September 2 – December 2, 2025: Despite losing direct server control, the attackers maintained access through stolen internal service credentials, allowing continued redirection of update traffic.
– November 10, 2025: The active attack campaign appeared to cease around this date.
– December 2, 2025: The hosting provider rotated all credentials and implemented security hardening measures, effectively blocking the attackers.
– December 9, 2025: Notepad++ version 8.8.9 was released, introducing enhanced update verification mechanisms.
Response and Mitigation
In response to the incident, the Notepad++ team migrated their website to a new hosting provider with improved security protocols. To prevent similar hijacking attempts, version 8.8.9 introduced strict validation within WinGUp. This update requires both a valid digital signature and a matching certificate for any downloaded installer. If these verifications fail, the update process is automatically aborted, thereby mitigating the risk of malicious updates.
Looking ahead, the Notepad++ project plans to implement the XMLDSig (XML Digital Signature) standard for update manifests. This enhancement will ensure that the XML data returned by the update server is cryptographically signed, preventing tampering with download URLs. This feature is scheduled for enforcement in version 8.9.2, expected to be released within the next month.
Implications for Users
This incident underscores the importance of robust security measures in software update mechanisms. Users are advised to ensure they are running the latest version of Notepad++ to benefit from the enhanced security features. Additionally, it’s crucial to download software updates only from official sources and to verify the authenticity of update packages.
The targeted nature of this attack highlights the evolving tactics of state-sponsored threat actors, emphasizing the need for continuous vigilance and proactive security practices among both developers and end-users.
