Notepad++ targeted in sophisticated supply-chain style attack via compromised hosting server

Attackers delivered tainted updates to select victims, exploiting weak update verification controls

Breach lasted from June to December 2025, likely tied to Chinese state-sponsored actors, prompting migration to new hosting and hardened update verification

Notepad++ has confirmed it was the victim of a highly targeted and sophisticated cyberattack, most likely conducted by a Chinese state-sponsored threat actor.

In a security notice published on the project’s website, the company explained attackers managed to compromise the shared hosting provider’s server, and used it to deliver tainted updates to a handful of carefully selected victims.

“We discovered the suspicious events in our logs, which indicate that the server could have been compromised,” the notice said, citing information from the hosting provider. “Based on our logs, we see no other clients hosted on this particular server being targeted. The bad actors specifically searched for [Notepad++] domain with the goal to intercept the traffic to your website, as they might know the then-existing Notepad++ vulnerabilities related to insufficient update verification controls.”

Highly targeted, sophisticated attack

The project’s developer explained that an external investigation also determined that the breach took place in June 2025, with the attackers retaining access until September 2025, when a patch kicked them out.

However, since they retained the credentials, they were allowed to continue with the attacks until early December 2025, when a password rotation finally stopped the intrusion.

The attacks did not involve Notepad++’s code in any way. Instead, they used server access to deliver tainted patches to carefully picked targets. According to the investigators the attackers, most likely Chinese state-sponsored ones, engaged in “highly selective” targeting.

“The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++,” the notice reads. “All remediation and security hardening were completed by the provider by December 2, 2025, successfully blocking further attacker activity.”

It is not known which particular group was behind this attack, nor who it was targeting. However, Notepad++ migrated to a new hosting provider, and the updater itself was updated to v8.8.9 to verify both the certificate and the signature of the download installer. Furthermore, the XML returned by the update server is now signed as well, and the certificate & signature verification will be enforced starting with upcoming v8.9.2, expected in about one month.

