State-Linked Attackers Hijack Notepad++ Update Infrastructure to Deliver Malware

The maintainer of Notepad++ has confirmed that state-sponsored threat actors hijacked the project’s official update delivery path to distribute malware to a limited set of users. The incident did not stem from a vulnerability in the Notepad++ codebase itself, but from a compromise at the infrastructure level that allowed attackers to intercept and redirect update traffic.

According to the project’s developer, the attackers gained control at the hosting provider level, enabling them to manipulate network traffic destined for the Notepad++ update domain. This allowed malicious servers to impersonate legitimate update endpoints and serve trojanized binaries to selected victims. The precise technique used to gain initial access to the hosting environment remains under investigation.

The attack leveraged weaknesses in how the Notepad++ updater, WinGUp, validated update responses. While the updater performed basic integrity checks, it did not sufficiently authenticate the origin of the downloaded binary. An attacker capable of intercepting or redirecting network traffic between the updater client and the update server could therefore substitute a malicious executable without triggering validation failures.

Evidence suggests the campaign was highly targeted rather than indiscriminate. Only traffic from specific users was redirected to rogue servers, reducing the likelihood of widespread detection. Analysis indicates the activity began as early as June 2025, but remained undetected for more than six months.

Independent research has linked the operation to China-based threat actors who used the compromised update path to gain initial access to victim systems. Once executed, the malicious payloads enabled further compromise of affected networks, consistent with targeted espionage activity rather than financially motivated malware distribution.

Although the hosting provider reported regaining control of the compromised server in early September 2025, attackers retained access to internal service credentials until December. This persistence allowed continued redirection of update traffic even after the primary infrastructure breach was addressed.

In response to the incident, the Notepad++ project migrated its website and update infrastructure to a new hosting provider and implemented additional safeguards around update delivery. Users are advised to upgrade to the latest version and verify the integrity of any previously downloaded installers.

This incident highlights the growing risk of infrastructure-level and supply-chain attacks, where trusted software distribution mechanisms are abused without exploiting traditional software vulnerabilities. Even widely used and open-source tools can become effective entry points when update channels are compromised.