Notepad++ Update Hijacked: What This 2025 Attack Means for IT Teams

February 3, 2026February 3, 2026 Master

A widely used developer tool just became part of a much bigger security story.

In late 2025, the team behind Notepad++ confirmed that a state-sponsored threat actor compromised its update service. The attack was quiet. It was targeted. And it went on for months.

If you work in software development, IT operations, or security, this matters. Not because Notepad++ is “unsafe,” but because this incident highlights how fragile software update chains can be.

In this post, we’ll break down what happened, why it matters, and what you should do next.

What Happened

Notepad++ disclosed that its update infrastructure was hijacked by a state-sponsored cyber group during 2025.

The core issue was simple but dangerous.

Attackers gained access to a shared hosting provider used by the project. From there, they selectively redirected update traffic for specific users. Those users were served malicious update manifests instead of legitimate ones.

According to the project, this was not a mass attack. It was targeted.

Only certain users saw malicious behavior, which made detection harder and delayed discovery.

The compromise timeline is important:

• June 2025: Initial access gained via a compromised hosting environment
• September 2: Notepad++ lost attacker access to the hosting provider
• November 10: Investigators believe active exploitation stopped
• December 2: All remaining internal credentials were revoked
• December 9: Version 8.8.9 released with hardened update verification
• December 27: Version 8.9 released, removing a self-signed certificate entirely

The author estimates the total exposure window ran from June through early December 2025.

 

How the Attack Worked

Older versions of Notepad++ did not strictly enforce certificate and signature verification during updates.

That gap mattered.

Attackers used the compromised infrastructure to redirect update requests from specific targets to attacker-controlled servers. These servers delivered fake update manifests pointing to malicious executables.

Key detail:
The malicious files were not part of the Notepad++ codebase.

They were typically named:

• update.exe
• updater.exe
• AutoUpgrade.exe

None of these belong to the official Notepad++ distribution.

This is a classic supply chain-style attack. Instead of breaking into endpoints directly, attackers poisoned the trust users place in updates.

who noticed first

Security researcher Kevin Beaumont raised early concerns in December.

He reported hearing from multiple organizations that experienced security incidents where Notepad++ processes appeared to trigger initial access. In several cases, attackers quickly moved to hands-on-keyboard activity.

Beaumont also pointed out something critical.

The activity was selective.

The limited victim set he spoke with had professional or organizational ties to East Asia. That detail helped narrow down attribution.

who was behind it

Notepad++ stopped short of naming an actor. However, multiple independent researchers believe the campaign aligns with a Chinese state-sponsored group.

The project’s author stated that the selective targeting strongly supports this theory.

This fits a broader pattern.

China-linked threat actors have a long track record of:

• Supply chain attacks
• Long-term credential abuse
• Highly selective espionage-focused campaigns

In December, CISA warned that Chinese operators had maintained access to critical US networks for years in some cases.

This incident adds another example to that list.

The Certificate Problem (And the Fix)

One controversial detail was Notepad++’s prior use of a self-signed root certificate for updates.

That decision made update verification weaker than it should have been.

The response was fast once the issue became clear.

• Version 8.8.9 added stronger verification checks
• Version 8.9 fully removed the self-signed certificate
• All binaries are now signed with a legitimate certificate from GlobalSign

The project strongly recommends removing the old self-signed root certificate if it was installed on your system.

Looking ahead, version 8.9.2 is expected to enforce certificate and signature verification by default.

why this attack matters

This was not about Notepad++ alone.

It was about trust.

Software updates are one of the most trusted mechanisms in IT. When that trust is abused, even briefly, the impact can ripple across organizations.

This incident highlights several uncomfortable truths:

• Open-source projects can be high-value targets
• Shared hosting increases risk exposure
• Update mechanisms are prime attack surfaces
• Targeted attacks often go unnoticed for months

Even widely respected tools can become delivery vehicles when infrastructure is compromised.

What makes it worse

There are no usable indicators of compromise.

After reviewing roughly 400 GB of server logs, the incident response team confirmed intrusion activity but found no actionable IoCs to share.

That means:

• No known file hashes
• No confirmed domains
• No reliable detection signatures

For defenders, that’s frustrating. For attackers, it’s ideal.

What You Should Do Right Now

If Notepad++ exists anywhere in your environment, take this seriously.

Here are the practical steps that make sense today:

1. Manually Update Notepad++

Do not rely on older auto-update paths.

Download and install the latest version directly from the official site. This updates both Notepad++ and WinGUp, its updater component, to hardened versions.

2. Remove the Old Self-Signed Certificate

If your systems installed the Notepad++ self-signed root certificate in the past, remove it.

This step reduces future trust abuse risk.

3. Review Endpoint Behavior

If you operate in regulated environments or have ties to East Asia, consider a focused review.

Look for:

• Unexpected process spawning from Notepad++
• Historical execution of unknown update binaries
• Privilege escalation following editor execution

Even without IoCs, behavior-based review still matters.

4. Revisit Update Policies

This is a good moment to audit how your organization handles software updates.

Questions worth asking:

• Which tools auto-update silently?
• Do we verify signatures consistently?
• Are developer tools monitored like production software?

A Fair Note on the Response

Credit where it’s due.

The Notepad++ maintainer handled this responsibly once discovered. The project communicated clearly, rebuilt hosting on stronger infrastructure, and hardened its update process.

Kevin Beaumont summed it up well when he said the developer “did a great job treating the issue seriously.”

Incidents happen. The response is what counts.

the bigger lesson

This story is not about panic. It’s about awareness.

Supply chain attacks are no longer rare. They are precise, patient, and quiet.

If a simple text editor can be used as an entry point, any trusted tool can.

For IT leaders, security teams, and developers, the takeaway is simple:

Trust updates.
But verify them harder than ever.

---

Source material and background for this analysis referenced from the provided incident documentation and reporting.

Related posts

• 

  December 24, 2025

  The RAM Price Hike Explained: Why Memory Is Scarce, Expensive, and Reshaping Tech

  Introduction A couple of years ago, upgrading your PC’s...

• 

  August 22, 2025

  Congratulations, Your AWS Knowledge Is Now a Historical Artifact

  Introduction Amazon Web Services (AWS) is a cloud powerhouse...

• 

  March 14, 2025

  Why Your Saved Passwords Are Basically a Hacker’s Lunch Buffet

  Introduction Imagine this: You sit down at your computer,...