Chinese State-Linked Threat Actors Suspected Behind Targeted Update Traffic Redirection
The developer of Notepad++ has confirmed that a long-running supply-chain attack hijacked its software update mechanism for nearly six months in 2025, with strong indications pointing to Chinese state-sponsored threat actors.
According to an official announcement released today, attackers intercepted and selectively redirected update requests from specific users to malicious servers. These users were served tampered update manifests, exploiting weaknesses in older versions of Notepad++’s update verification controls.
How the Attack Worked
Investigators determined that the campaign began in June 2025, after attackers compromised a server operated by the hosting provider responsible for Notepad++ update traffic.
Key findings include:
- Update requests from only selected users were redirected
- Malicious update metadata was delivered instead of legitimate files
- The activity remained undetected for months due to its narrow targeting scope
External security researchers assisting with the investigation concluded that the precision and restraint of the operation strongly suggest involvement from a Chinese state-aligned threat group.
Hosting Provider Compromise Enabled Persistence
Logs reviewed during the investigation indicate that the attackers:
- Initially gained access by exploiting weaknesses on the update hosting server
- Temporarily lost access in September 2025 after kernel and firmware updates
- Regained control using unchanged internal service credentials
The attackers maintained access until December 2, 2025, when the breach was finally detected and the malicious access was terminated.
Security Fixes and Mitigation
In response, Notepad++ has taken multiple remediation steps:
- Migrated update infrastructure to a new hosting provider
- Rotated all potentially exposed credentials
- Fixed exploited vulnerabilities
- Conducted a full log review to confirm the attack had ended
In December 2025, version 8.8.9 was released to fix a critical weakness in the WinGUp update tool, which previously allowed malicious update packages to be delivered.
Starting with version 8.8.9:
- Installer certificates and signatures are verified
- Update XML files are cryptographically signed
The developer also announced that mandatory certificate signature verification will be enforced in version 8.9.2, expected next month.
User Impact and Recommendations
Security researcher Kevin Beaumont previously warned that multiple organizations were impacted, with some cases followed by hands-on attacker reconnaissance inside victim networks.
Notepad++ users are advised to:
- Update immediately to version 8.8.9 or later
- Change SSH, FTP/SFTP, and MySQL credentials
- Review and secure WordPress admin accounts if applicable
- Enable automatic updates where possible
The developer has not yet released indicators of compromise (IOCs) to help users determine whether they were affected.
Why This Matters
Notepad++ is one of the world’s most widely used text and source-code editors, with tens of millions of users globally. This incident highlights how:
- Open-source software remains a high-value supply-chain target
- Update mechanisms are increasingly exploited for stealthy, long-term access
- Highly selective attacks can evade detection for extended periods