Article Details
Scrape Timestamp (UTC): 2026-02-02 08:57:11.637
Source: https://thehackernews.com/2026/02/notepad-official-update-mechanism.html
Original Article Text
Click to Toggle View
Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users. The maintainer of Notepad++ has revealed that state-sponsored attackers hijacked the utility's update mechanism to redirect update traffic to malicious servers instead. "The attack involved [an] infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org," developer Don Ho said. "The compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself." The exact mechanism through which this was realized is currently being investigated, Ho added. The development comes a little over a month after Notepad++ released version 8.8.9 to address an issue that resulted in traffic from WinGUp, the Notepad++ updater, being "occasionally" redirected to malicious domains, resulting in the download of poisoned executables. Specifically, the problem stemmed from the way the updater verified the integrity and authenticity of the downloaded update file, allowing an attacker who is able to intercept network traffic between the updater client and the update server to trick the tool into downloading a different binary instead. It's believed this redirection was highly targeted, with traffic originating from only certain users routed to the rogue servers and fetching the malicious components. The incident is assessed to have commenced in June 2025, more than six months before it came to light. Independent security researcher Kevin Beaumont revealed that the flaw was being exploited by threat actors in China to hijack networks and deceive targets into downloading malware. In response to the security incident, the Notepad++ website has been migrated to a new hosting provider. "According to the former hosting provider, the shared hosting server was compromised until September 2, 2025," Ho explained. "Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers."
Daily Brief Summary
Notepad++'s update mechanism was compromised by state-sponsored attackers, redirecting update traffic to malicious servers, affecting select users.
The attack exploited infrastructure-level vulnerabilities at the hosting provider, not within Notepad++'s code, allowing interception of update traffic.
The compromise allowed attackers to redirect specific users' update requests to rogue servers, resulting in the download of malicious executables.
The incident began in June 2025 and was discovered over six months later, with Chinese threat actors identified as the perpetrators.
Notepad++ has since migrated its website to a new hosting provider to prevent future attacks and secure update traffic.
Attackers retained access to internal services until December 2025, prolonging their ability to redirect update traffic even after server access was lost.
This incident underscores the critical need for robust update verification processes and secure hosting environments to protect software supply chains.