The maintainer of Notepad++ has disclosed that state‑backed threat actors compromised the application’s update mechanism, redirecting legitimate update requests to malicious infrastructure controlled by attackers.
According to Notepad++ developer Don Ho, the incident stemmed from an infrastructure‑level breach rather than any flaw in the application itself. “The attack involved an infrastructure‑level compromise that enabled malicious actors to intercept and reroute update traffic intended for notepad‑plus‑plus.org,” Ho explained. “The breach occurred at the hosting provider layer and did not involve vulnerabilities in Notepad++ code.”
Ho added that the exact technical method used to achieve the traffic interception is still under investigation. The disclosure follows Notepad++’s release of version 8.8.9, issued just over a month earlier to mitigate an issue in which WinGUp, the application’s update utility, was intermittently redirected to malicious domains, leading to the download of tampered executables.
At the core of the issue was the updater’s method of verifying the integrity and authenticity of downloaded files. This weakness allowed an attacker capable of man‑in‑the‑middle interception between the update client and server to substitute legitimate updates with malicious binaries.
Analysis indicates the redirection campaign was highly selective, with only certain users’ traffic diverted to rogue servers. The malicious payloads were delivered exclusively to those targeted systems. Investigators believe the operation began in June 2025, remaining undetected for more than six months. Independent security researcher Kevin Beaumont reported that the vulnerability was actively exploited by China‑linked threat actors to compromise networks and masquerade malware as legitimate Notepad++ updates. The activity has been attributed to a nation‑state threat group known as Violet Typhoon (also tracked as APT31), which focused its efforts on telecommunications and financial services organizations in East Asia.
In response, the Notepad++ project has migrated its website to a new hosting provider described as having substantially stronger security practices. Additionally, the update process has been reinforced with enhanced safeguards designed to prevent unauthorized redirection and ensure update integrity. Ho further revealed that the former hosting provider confirmed the shared hosting environment was compromised until September 2, 2025. Even after the attackers lost direct access to the server, they reportedly retained credentials to internal services until December 2, 2025, which enabled continued manipulation of update traffic during that period.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
