Notepad++ Hijacked by State-Sponsored Hackers in a sophisticated and highly selective cyber espionage campaign that abused the software’s update infrastructure for several months, according to a detailed security disclosure published by the project’s developer. The attack, which remained largely undetected throughout much of 2025, represents a rare and serious supply chain compromise affecting one of the most widely used open-source applications on Windows.
The operation did not rely on vulnerabilities within the Notepad++ source code itself. Instead, attackers gained control over the hosting infrastructure responsible for delivering update metadata, allowing them to silently redirect update requests from specific targets to their own attacker-controlled servers.
How Notepad++ Was Hijacked by State-Sponsored Hackers?
Notepad++ was hijacked by state-sponsored hackers through an infrastructure-level compromise at its former shared hosting provider, rather than through flaws in the application’s codebase. Security experts confirmed that the attackers infiltrated the server hosting the Notepad++ update endpoint, enabling them to intercept and manipulate update traffic in transit.
The malicious actors selectively redirected update requests from chosen users, returning tampered update manifests that pointed to malicious payloads. This narrow targeting strongly suggests intelligence-driven objectives rather than mass malware distribution, aligning with techniques commonly observed in nation-state cyber operations.
Infrastructure Compromise Behind the Notepad++ Hijacked Campaign
The investigation revealed that the compromised server hosted the script responsible for generating update download URLs for Notepad++. Once access was obtained, attackers were able to operate below the application layer, making the intrusion extremely difficult to detect using conventional endpoint security controls.
WordPress Web Hosting
Starting From $3.99/Monthly
Crucially, investigators found no evidence that official Notepad++ binaries or the project’s build pipeline were directly altered. The threat actors exploited trust in the update delivery mechanism itself, a tactic that has become increasingly prevalent in modern supply chain attacks.
Timeline of the Notepad++ Hijacked by State-Sponsored Hackers Incident
The confirmed timeline indicates that the attack commenced in June 2025, when the attackers initially gained unauthorized access to the hosting environment. That access persisted until September 2, 2025, when scheduled kernel and firmware updates temporarily disrupted the intrusion.
Despite losing direct server access, the attackers retained internal service credentials that allowed them to continue redirecting update traffic remotely. This secondary access channel remained active until December 2, 2025, when all credentials were rotated, and the infrastructure was fully secured.
Security experts believe malicious activity likely ceased in early November, but definitive termination of attacker access was only achieved in December. Based on combined assessments, the overall compromise window spans approximately six months.
Evidence Links the Attack to Chinese State-Sponsored Hackers
Multiple independent security researchers concluded that the campaign bears the hallmarks of Chinese state-sponsored hackers. The precision of the targeting, the extended dwell time, and the absence of monetization signals are consistent with espionage-focused operations rather than cybercrime.
Further analysis by Rapid7 attributed related activity to the Chinese APT group Lotus Blossom, also known as Raspberry Typhoon, Bilbug, and Spring Dragon. The group reportedly deployed a previously undocumented custom backdoor named Chrysalis, designed to maintain persistent access to compromised systems.
Cheap VPS Server
Starting From $2.99/Monthly
While no definitive forensic artifacts prove that the Notepad++ updater directly delivered the backdoor, telemetry confirmed suspicious execution chains involving notepad++.exe, GUP.exe, and an anomalous update.exe process.
Why State-Sponsored Hackers Targeted the Notepad++ Update Mechanism?
State-sponsored hackers targeted the Notepad++ update mechanism due to legacy weaknesses in update verification controls present in older versions of the software. Although installers were signed, earlier implementations of the WinGup updater did not strictly enforce cryptographic validation of update metadata.
By compromising the update delivery infrastructure, attackers avoided the need to bypass code-signing protections. Instead, they redirected clients to attacker-controlled servers, effectively weaponizing the trusted update channel without modifying the application itself.
Security Fixes After Notepad++ Was Hijacked by State-Sponsored Hackers
After Notepad++ hijacked by state-sponsored hackers through its update infrastructure was publicly disclosed, the project implemented a series of critical security enhancements to prevent similar supply chain attacks in the future. The following changes focus on strengthening update verification, hardening hosting infrastructure, and eliminating trust gaps:
- Enhanced installer certificate and signature verification in WinGup
Starting with Notepad++ version 8.8.9, the WinGup updater now verifies both the digital signature and the certificate of downloaded installers, ensuring that only authentic and trusted updates can be installed on user systems. - Cryptographic signing of update metadata using XML Digital Signatures
The update XML returned by the server is now cryptographically signed, preventing attackers from tampering with update manifests even if they gain partial access to delivery infrastructure. - Mandatory enforcement of verification in upcoming releases
Full enforcement of certificate and signature validation is scheduled to take effect in Notepad++ v8.9.2, which is expected to be released within the coming month, further reducing the risk of update hijacking. - Migration to a new hosting provider with stronger security controls
All Notepad++ services have been migrated to a new hosting environment with improved monitoring, stricter access management policies, and enhanced defensive measures against infrastructure-level compromise.
Windows VPS Hosting
Remote Access & Full Admin
Hosting Provider Response and Remediation Measures
The former hosting provider confirmed that the affected shared hosting server was compromised until early September 2025 and that internal service credentials remained exposed until December. Following detection, the provider:
- Migrated all hosted clients to new servers
- Patched exploited vulnerabilities
- Rotated all potentially compromised credentials
- Conducted a full log review across all hosting environments
The provider reported no evidence that other hosted customers were targeted, reinforcing the conclusion that the attackers specifically sought to compromise Notepad++ update traffic.
What Notepad++ Users Should Do Now
Following confirmation that Notepad++ was hijacked by state-sponsored hackers through its update infrastructure, users are advised to take a series of precautionary steps to reduce any potential residual risk. While investigators have not identified universal indicators of compromise, systems that ran affected versions during the exposure window may still warrant closer scrutiny, particularly in enterprise or sensitive environments.
Manually update to Notepad++ version 8.9.1 or later
Users should download and install Notepad++ version 8.9.1 or newer directly from the official website to ensure that enhanced update verification mechanisms are in place. This version includes critical security improvements to the WinGup updater, reducing the risk of malicious update redirection and strengthening trust in future update deliveries.
Review system and application logs for anomalous behavior
Users and administrators are encouraged to examine system logs for unusual process execution, unexpected network connections, or unexplained file changes during the June–December 2025 timeframe. Although no definitive indicators of compromise have been released, log review can help identify suspicious activity that may warrant further investigation.
Rotate credentials on systems relying on automated updates
For environments where Notepad++ updates were managed automatically, credential rotation is recommended as a precautionary measure. Updating SSH, FTP, database, or service account credentials helps mitigate the risk of lingering access should credentials have been exposed during the infrastructure compromise.
Ensure update mechanisms enforce strict verification going forward
Administrators should verify that update workflows enforce certificate and signature validation, particularly in managed or enterprise deployments. Relying on cryptographically verified updates reduces exposure to future supply chain attacks and aligns with modern software security best practices.
A Broader Warning for Open-Source Software Security
The Notepad++ hijacking highlights a growing trend in which state-sponsored hackers increasingly target open-source projects through infrastructure and supply chain weaknesses rather than application vulnerabilities. As open-source tools continue to underpin enterprise and government environments, they are becoming high-value espionage targets.
The response by the Notepad++ project demonstrates how transparency, rapid remediation, and architectural improvements can help restore trust after a major security incident.