Notepad++ has announced that its update infrastructure was compromised by a likely Chinese state-sponsored threat actor between June and December 2025. It said that the breach took place at its former hosting provider and allowed the redirection of update traffic to malicious servers.
According to security analysts who have investigated the situation, the attackers targeted a subset of users to deliver compromised update manifests. The targeted approach, points towards an espionage campaign rather than a broad malware distribution effort.
The breach started at the hosting provider level, where attackers maintained server access until maintenance took place on September 2, 2025. Even after losing direct server access, the hackers retained internal service credentials until December 2, 2025, which permitted ongoing traffic interception.
Those responsible exploited the getDownloadUrl.php endpoint to return URLs for compromised software versions. To address this, the hosting provider has now rotated all internal credentials and the Notepad++ application has migrated to a different, hardened server environment.
If you have attempted to update Notepad++ between June and December, you may have accidentally downloaded malicious binaries. The attackers used known weaknesses in older versions of the software, such as insufficient update verification controls, to facilitate the compromise.
In response to this episode, Notepad++ has dropped its previous shared hosting arrangement for a provider with better security protocols. This shift highlights the need for developers to ensure third parties that they rely on also have a robust security posture.
With Notepad++ v8.8.9, there are preliminary security enhancements to the app’s update WinGup. Building on this, Notepad++ will release v8.9.2 in a month’s time, which will strictly enforce the XMLDSig certificate and signature verification. This will ensure the update server’s responses cannot be tampered with or redirected by unauthorized parties.
Users are advised to ensure they are running at least version 8.8.9. Credentials for any services associated with the previous hosting environment, such as SSH, FTP, or MySQL databases, should also be reset.