A months-long supply chain attack hijacked the update system of Notepad++, exposing how trusted software can be compromised through hosting infrastructure rather than application code. The project’s developer Don Ho confirmed that attackers redirected update traffic at the hosting provider level, not through a vulnerability in Notepad++ itself.
Investigators found that threat actors compromised the shared hosting environment that served Notepad++ update requests. By intercepting traffic bound for the official domain, the attackers selectively redirected certain users to malicious servers that delivered tampered update manifests and executables. The targeting was narrow and deliberate, focusing on specific organizations rather than the broader user base.
See also: How to Install OpenClaw on Windows Using WSL2 (Official Local Setup Guide)
The abuse centered on WinGUp, the built-in updater. Older versions relied on update verification controls that attackers could exploit once they controlled the update delivery path. Importantly, no evidence indicates the Notepad++ source code or repositories were breached.
How Long the Notepad++ Update Hijacking Lasted
Forensic analysis places the start of the campaign around June 2025. Direct server access appears to have ended after maintenance updates in early September 2025, but exposed internal service credentials allowed continued traffic manipulation until early December 2025.
Multiple independent researchers have linked the activity to a Chinese state-sponsored group, commonly referred to as Violet Typhoon (also known as APT31), citing the precision and persistence of the operation.
Developer Response and Security Fixes
Following disclosure, the Notepad++ team migrated the website and update infrastructure to a new hosting provider with stricter security controls. The project also hardened its update process:
- Enhanced verification in v8.8.9: WinGUp now verifies installer certificates and digital signatures.
- Signed update metadata: The update XML is cryptographically signed to prevent tampering.
- Upcoming enforcement: Mandatory certificate and XML signature checks are expected to be enforced in a future release.
The developer recommends that users manually download and install the latest version (v8.9.1 or newer) from the official site to ensure they receive the strengthened protections.
What Users Should Do Now
While the compromise targeted update delivery rather than local systems broadly, users should take standard hygiene steps:
- Update Notepad++ manually to the latest release.
- Avoid third-party mirrors; use the official download page only.
- Stay alert for unusual update prompts or unexpected installer behavior.
The Notepad++ case underscores a growing reality in software security: attackers increasingly target infrastructure and supply chains, where a single compromise can undermine trust at scale. Even widely used, open-source tools can become vectors if update pipelines lack end-to-end verification. The swift response and added safeguards reduce risk going forward, but the incident serves as a clear reminder to treat update channels as critical security assets.
