Notepad++ Update Feature Hijacked by Chinese State Hackers For Months Summary:
Summary:
In mid-2025, the official update mechanism for the widely used open-source text editor Notepad++ was compromised in a supply chain attack that persisted for roughly six months. Attackers believed to be Chinese state-sponsored threat actors gained unauthorized access to the hosting infrastructure for the Notepad++ update service and intercepted and redirected legitimate update requests from certain users to malicious servers. By exploiting a weak verification in the Notepad++ updater (WinGUp), which previously did not sufficiently validate the integrity and authenticity of downloaded files, the attackers were able to serve tampered updates and potentially deliver malware.
The incident began around June 2025 and continued until December 2, 2025, despite the shared hosting server being partially remediated in September, because the adversaries retained internal credentials that allowed them to continue redirecting traffic. Notepad++ has since migrated to a new, more secure hosting provider, rotated credentials, fixed exploited vulnerabilities, and thoroughly analyzed logs to confirm that the malicious activity stopped.
Security Officer Comments:
According to Notepad++, the breach had a narrow targeting scope and redirected only specific users to the attacker’s infrastructure rather than affecting the wider user base. Security researcher Kevin Beaumont stated that he was aware of at least three organizations (telecommunications and financial services organizations in East Asia) impacted by these hijacked updates, which were followed by hands-on reconnaissance activity on the network.
Suggested Corrections:
To address this severe security issue, the Notepad++ website has been migrated to a new hosting provider with significantly stronger security practices. Within Notepad++ itself, WinGup (the updater) was enhanced in v8.8.9 to verify both the certificate and the signature of the downloaded installer. Additionally, the XML returned by the update server is now signed (XMLDSig), and the certificate & signature verification will be enforced starting with upcoming v8.9.2, expected in about one month.
While Notepad++ says it rotated all the secrets on its end, Notepad++ users have been recommended to take the following actions to strengthen their security:
https://www.bleepingcomputer.com/ne...hijacked-by-chinese-state-hackers-for-months/
In mid-2025, the official update mechanism for the widely used open-source text editor Notepad++ was compromised in a supply chain attack that persisted for roughly six months. Attackers believed to be Chinese state-sponsored threat actors gained unauthorized access to the hosting infrastructure for the Notepad++ update service and intercepted and redirected legitimate update requests from certain users to malicious servers. By exploiting a weak verification in the Notepad++ updater (WinGUp), which previously did not sufficiently validate the integrity and authenticity of downloaded files, the attackers were able to serve tampered updates and potentially deliver malware.
The incident began around June 2025 and continued until December 2, 2025, despite the shared hosting server being partially remediated in September, because the adversaries retained internal credentials that allowed them to continue redirecting traffic. Notepad++ has since migrated to a new, more secure hosting provider, rotated credentials, fixed exploited vulnerabilities, and thoroughly analyzed logs to confirm that the malicious activity stopped.
Security Officer Comments:
According to Notepad++, the breach had a narrow targeting scope and redirected only specific users to the attacker’s infrastructure rather than affecting the wider user base. Security researcher Kevin Beaumont stated that he was aware of at least three organizations (telecommunications and financial services organizations in East Asia) impacted by these hijacked updates, which were followed by hands-on reconnaissance activity on the network.
Suggested Corrections:
To address this severe security issue, the Notepad++ website has been migrated to a new hosting provider with significantly stronger security practices. Within Notepad++ itself, WinGup (the updater) was enhanced in v8.8.9 to verify both the certificate and the signature of the downloaded installer. Additionally, the XML returned by the update server is now signed (XMLDSig), and the certificate & signature verification will be enforced starting with upcoming v8.9.2, expected in about one month.
While Notepad++ says it rotated all the secrets on its end, Notepad++ users have been recommended to take the following actions to strengthen their security:
- Change credentials for SSH, FTP/SFTP, and MySQL database.
- Review administrator accounts for your WordPress sites (if you have any), change their passwords, and remove unnecessary users.
- Update your WordPress sites (if you have any) plugins, themes, and core version, and turn on automatic updates, if applicable.
https://www.bleepingcomputer.com/ne...hijacked-by-chinese-state-hackers-for-months/