Notepad + + under targeted attack: kidnapped updates and suspicions of Chinese state actors

The Notepad + + community has received confirmation this week of an incident that many already feared: for several months the editor's update traffic was abducted and some users received manipulated update manifests. According to the developer himself, the fact took advantage of a weakness in the integrity checks of the update system and allowed the attackers to selectively redirect the requests to malicious servers.

The source of the problem, according to internal research and collaboration with external experts, dates back to June 2025, when a hosting provider hosting the upgrade infrastructure was committed. This intrusion provided the attackers with the technical capacity to intercept and change update responses only for certain users; it was not a massive and indiscriminate distribution, but a highly selective campaign.

The concrete way they operated was to send an altered update XML and packages that seemed legitimate to Notepad + +'s update client (WinGup). It was possible because old versions of the system did not strictly verify the signature and certificates of the installers and the update manifesto. Following the incident, Notepad + + has published official information on what happened and the measures taken: the public note of the project contains the schedule and the actions taken.

The technical vector was not only an open door in the hosting: when in September the supplier patched the kernel and firmware, the attackers temporarily lost access, but could reenter using internal credentials that had already been exfiltered and that had not been renewed, which demonstrates the importance of rotating credentials after an intrusion. This condition was maintained until 2 December 2025, when the supplier finally detected the gap and cut the attacker's access.

Attribution is not something that is announced lightly, but many independent researchers have pointed out that the adversary's behavior - selectivity, objectives and sophistication - fits with tactics seen in campaigns linked to Chinese state actors. This conclusion, replicated by several parties, is the one Notepad + + cites in its statement as the hypothesis most consistent with the facts observed.

Security researchers such as Kevin Beaumont publicly warned about impacts in at least three organizations and described manual recognition activity in the networks affected after initial infections. For those who want to follow the work of specialists who track these types of incidents, Kevin Beaumont's page collects many useful threads and analyses: kevinbeaumont.com. The specialized media have also been covering the case and provide a summary of how intrusion and response developed.

Notepad + + is a free and open source tool with tens of millions of users on Windows, which makes any problem in your update chain potential impact beyond a few machines. Precisely because of this potential for scope, the project has moved all customers to a new hosting provider with stronger controls, broken credentials that could be compromised and corrected the exploited vulnerabilities.

In technical terms, the project already launched version 8.8.9, which introduces certificate checks and signatures on installers and applies cryptographic signature to the update XML, which drastically reduces the possibility of an intermediate actor serving malicious packages without being detected. In addition, Notepad + + has announced that in the next version 8.9.2 plans to force signature verification on a mandatory basis, a measure that will raise the barrier to such abuse.

This incident is a practical reminder of why software supply chain protection and good practices in identity management are critical. Organizations such as the US Infrastructure and Cybersecurity Agency. The US (CISA) provides guides to secure supply chains and mitigate risks of compromised updates; it is useful to review them to understand additional controls that can be applied: CISA - Supply Chain Security.

If you are a user of Notepad + +, the most important thing is to update to the version that corrects the failure and to check the credentials displayed in your own infrastructure. Notepad + + and public releases recommend, among other measures, renewing passwords and keys used in deployment and hosting services, reviewing and cleaning administrative accounts (e.g. on WordPress if used to host updates), and ensuring that critical platforms apply automatic updates and verify digital signatures.

On a broader level, it is recommended that IT managers adopt code signature and update validation policies for all critical software, and implement credentials rotation and continuous integrity monitoring. The signing of packages and cryptographic validation are controls that significantly reduce the possibility that an intermediary with access to data transport can inject malicious software; certification companies explain in detail how the code signature works and why it is essential: DigiCert - Code Signing.

Finally, although Notepad + + claims to have stopped malicious activity following rectifications and migration, the selective nature of the campaign implies that some specific organizations may have been further monitored after their teams have been engaged. If you think your organization may have been among those affected, it is wise to conduct a forensic review of logs and final points, to look for indicators of laterality and, in case of doubt, to contact professionals in response to incidents to assess the scope and remedy.

The lesson for all is clear: the tools widely used are not immune to targeted attacks, and maintaining robust processes of signature, access control and rotation of credentials is as important as patching the software. The Notepad + + page and the specialized media coverage should be consulted in order to follow the official updates on this issue. Bleeping Computer where details and follow-up of the case have been published.