Notepad++ Update Infrastructure Hijacked in Targeted Supply Chain Attack

February 3, 2026

Executive Summary

In early February 2026, maintainers of Notepad++ confirmed that its update infrastructure had been selectively hijacked as part of a long-running, highly targeted supply-chain attack.


The compromise did not involve vulnerabilities in the Notepad++ application itself. Instead, attackers gained access at the hosting provider infrastructure level, enabling them to intercept and redirect update traffic for a subset of users to attacker-controlled servers.


Independent analysis suggests the activity is consistent with a state-sponsored threat actor, likely of Chinese origin, based on the precision, restraint, and duration of the campaign.


The incident underscores a growing reality in modern cyber operations: software trust chains are now a primary attack surface.

What happened

According to disclosures published alongside the Notepad++ v8.8.9 release, the investigation revealed:


  • Attackers compromised a shared hosting environment used by the Notepad++ update service
  • The compromise allowed selective redirection of update requests
  • Only specific users were targeted, rather than mass distribution
  • Malicious update manifests were served from attacker-controlled infrastructure
  • No vulnerabilities were found in the Notepad++ source code itself


The attack began as early as June 2025 and persisted intermittently until late 2025, with remediation completed in December.

Hosting provider findings

Following a coordinated incident-response effort involving external security experts, the former hosting provider confirmed several critical findings:


1. Infrastructure compromise


  • The shared hosting server was compromised until 2 September 2025
  • Kernel and firmware updates on that date appear to have removed attacker access
  • No evidence of similar activity was found on other hosting servers


2. Credential persistence


  • Despite losing server access, attackers retained internal service credentials until 2 December 2025
  • These credentials enabled continued redirection of traffic to malicious update servers


3. Targeted intent


  • Logs show the attackers explicitly searched for the Notepad++ domain
  • No other tenants on the shared infrastructure were targeted
  • The attackers likely understood weaknesses in older update-verification mechanisms


4. Containment and remediation


By 2 December 2025, the hosting provider had:


  • Fixed the exploited infrastructure vulnerabilities
  • Rotated all compromised credentials
  • Attempted re-exploitation was detected and blocked
  • Verified no lateral compromise across other hosting environments

Timeline overview

Period Activity
June 2025 Initial compromise begins
Sept 2, 2025 Infrastructure access removed
Nov 10, 2025 Security experts estimate attacker activity ceases
Dec 2, 2025 All credentials rotated, final remediation
Feb 2, 2026 Public disclosure and update guidance

Based on combined assessments, the effective compromise window spans June–December 2025.

Why this matters

This incident highlights several critical trends Cybergen observes across modern threat activity:


1. Supply-chain attacks are becoming surgical


The attackers:


  • Avoided mass infection
  • Limited exposure to evade detection
  • Focused on trust relationships rather than exploit development


This behaviour aligns with state-level operational discipline, not opportunistic cybercrime.


2. Infrastructure is now the weak link


Even with secure code:


  • Hosting platforms
  • Update delivery mechanisms
  • Credential hygiene
  • Trust validation


…can all be leveraged to undermine software integrity.


3. Absence of IoCs is not the absence of compromise


Despite analysing ~400GB of server logs, investigators were unable to extract usable Indicators of Compromise, such as:


  • IP addresses
  • Domains
  • Malware hashes


This reinforces a key intelligence reality: advanced actors prioritise stealth over noise.

Remediation and security improvements

Hosting changes


  • The Notepad++ website has been fully migrated to a new hosting provider
  • Stronger infrastructure-level security controls are now in place


Update mechanism hardening


From v8.8.9 onward:

  • WinGup now verifies both certificate and installer signature
  • Update XML responses are cryptographically signed (XMLDSig)


From v8.9.2 (expected imminently):



  • Signature and certificate verification will be strictly enforced
  • Users are advised to manually update to v8.9.1 or later.

Cybergen perspective

This incident is not an anomaly. It reflects a broader shift in how advanced threat actors operate:


  • Exploiting implicit trust
  • Targeting delivery pipelines
  • Bypassing traditional perimeter controls
  • Operating below detection thresholds


For organisations, this reinforces the need to move beyond vulnerability-centric security models and adopt threat-led, intelligence-driven defence that focuses on:


  • Real adversary behaviour
  • Supply-chain exposure
  • Credential abuse
  • Infrastructure trust assumptions

Final note

The Notepad++ maintainer has issued a full apology and taken decisive corrective action. Based on the evidence disclosed, the issue appears fully contained.

Ready to strengthen your security posture? Contact us today for more information on protecting your business.


Let's get protecting your business


Disaster Recovery

Keep your data secure and protected at all times.

Cybergen News

Sign up to get industry insights, trends, and more in your inbox.

Contact Us

SHARE THIS

Latest Posts

Neon AI letters with a glowing purple orbit on a dark tech-style background

Shadow AI Is Already Inside Your Organisation: Here's How to Regain Control

June 3, 2026
Discover how Shadow AI is creating hidden security, compliance and data risks. Learn how to regain visibility, govern AI usage and reduce exposure.
Two professionals in a tech office with a laptop showing code and a digital globe display

Why Traditional Threat Intelligence Is No Longer Enough: The Evolution of Intelligence-Led Cybersecurity

May 19, 2026
Traditional threat intelligence is no longer enough. Discover how intelligence-led cybersecurity helps organisations predict, prioritise, and prevent cyber threats before they escalate.
Technician in a data center using a tablet beside server racks and digital displays

Network Security in 2026: What CISOs Should Prioritise

May 15, 2026
Discover the top network security priorities for CISOs in 2026, from modern firewalling and exposure management to Zero Trust, SASE, AI security, and cyber resilience.
CREST and Pen Test logos on a blue cybersecurity-themed background

Why CREST Penetration Testing Matters More Than Ever in 2026

May 12, 2026
Discover why CREST penetration testing is essential for identifying exploitable vulnerabilities, reducing cyber risk, and strengthening your organisation’s security posture.

From ChatGPT to Copilot: How Employees Are Creating Hidden AI Security Risks

May 11, 2026
Artificial intelligence is no longer emerging technology. It is already embedded inside the modern workplace. Across the UK, employees are using AI applications such as ChatGPT, Microsoft Copilot, Claude, Gemini, Perplexity, and countless specialist tools to improve productivity, save time, analyse information, draft reports, automate repetitive work, and accelerate decision-making. For many organisations, this represents an enormous opportunity. Teams can work faster, employees can automate administrative tasks, knowledge workers can produce content in minutes instead of hours, and businesses can gain competitive advantage through operational efficiency. However, there is another side to this story that many leadership teams, CISOs, and compliance professionals are only beginning to understand. Your employees are already using AI. The real question is whether you know how they are using it. Because while artificial intelligence is driving productivity, it is also creating a hidden security risk inside organisations, often without malicious intent, and frequently without employees even realising they are exposing sensitive information. The uncomfortable truth is that many businesses have already lost visibility and control. Employees are uploading confidential documents into public AI systems, sharing commercially sensitive information in prompts, exposing HR and financial data, pasting source code into third party models, and unknowingly bypassing existing data governance processes. In many cases, security teams simply do not see it happening. And if you cannot see it, you cannot control it. In 2026, secure AI adoption is rapidly becoming one of the most important priorities for cybersecurity leaders. The challenge is no longer whether employees should use AI. The challenge is how organisations can enable AI safely, securely, and compliantly without slowing innovation.
Hands typing on a laptop with a glowing AI interface on screen

Seeing the Unseen: How to Gain Visibility and Control Over AI Usage in Your Organisation

April 28, 2026
Uncontrolled AI usage is creating hidden risks across organisations. Learn how to gain visibility, manage exposure, and take control of AI usage before it becomes a security or compliance issue.
Abstract digital globe with blue data streams and binary code racing through a tunnel-like network background

The New Insider Threat: When Data Moves Faster Than Security Can See

April 23, 2026
Insider threats are evolving as data moves faster than security controls. Learn how organisations can regain visibility and protect sensitive information.
Laptop with cyber data protection graphics, shield icons, and a hand touching a glowing security interface

From Data Protection to Data Control: Why Traditional Security Models Are Failing

April 20, 2026
Traditional data protection is no longer enough. Discover why organisations must shift to data control to manage modern cyber risk.
A person in a suit works at a desk with multiple monitors displaying complex data, charts, and a glowing digital lock.

The Data Security Crisis: How AI, Shadow AI and Insider Risk Are Creating Invisible Breach Paths

April 11, 2026
AI is creating new, invisible data security risks. Learn how shadow AI, insider behaviour, and identity threats are exposing organisations, and how to defend against them.
A hand touching a tablet screen against a blue digital background with a glowing padlock icon.

Identity Is the New Attack Surface: How Cybercriminals Are Bypassing MFA and What Organisations Must Do Next

April 8, 2026
MFA is no longer enough. Discover how attackers bypass identity controls and why intelligence-led security is critical to defending modern organisations.