- Notepad++ targeted in sophisticated supply-chain attack via compromised hosting server
- Attackers delivered tainted updates to select victims by exploiting weak update verification controls
- The breach lasted from June to December 2025, likely linked to Chinese state-sponsored actors, leading to migration to new hosting and tightened update verification
Notepad++ has confirmed that it was the victim of a highly targeted and sophisticated cyber attack, most likely carried out by a Chinese state-sponsored threat actor.
In a security notice published on the project’s website, the company explained that attackers managed to compromise the shared hosting provider’s server and used it to deliver tainted updates to a handful of carefully selected victims.
“We detected the suspicious events in our logs which indicate that the server may have been compromised,” the notice said, citing information from the hosting provider. “Based on our logs, we do not see any other clients hosted on this particular server being targeted. The bad actors were specifically looking for [Notepad++] domain with the goal of intercepting the traffic to your site, as they may be aware of the then-existing Notepad++ vulnerabilities related to insufficient update verification controls.”
Highly targeted, sophisticated attack
The project’s developer explained that an external investigation also determined that the breach occurred in June 2025, with the attackers retaining access until September 2025, when a patch kicked them out.
But since they kept their credentials, they were allowed to continue the attacks until early December 2025, when a password rotation finally stopped the intrusion.
The attacks did not involve Notepad++’s code in any way. Instead, they used server access to deliver tainted patches to carefully selected targets. According to the investigators, the attackers, most likely Chinese state-sponsored, engaged in “highly selective” targeting.
“The attackers specifically targeted the Notepad++ domain with the aim of exploiting insufficient update verification controls that existed in older versions of Notepad++,” the announcement reads. “All remediation and security hardening was completed by the provider on December 2, 2025, which successfully blocked further attacker activity.”
It is not known which specific group was behind this attack or who it was aimed at. However, Notepad++ migrated to a new hosting provider and the updater itself was updated to v8.8.9 to verify both the certificate and signature of the download installer. Furthermore, the XML returned by the update server is now also signed, and the certificate and signature verification will be enforced starting with the upcoming version 8.9.2, expected in about a month.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
