Notepad++ Update Infrastructure Hijacked in Targeted Supply Chain Attack

Executive Summary

In early February 2026, maintainers of Notepad++ confirmed that its update infrastructure had been selectively hijacked as part of a long-running, highly targeted supply-chain attack.

The compromise did not involve vulnerabilities in the Notepad++ application itself. Instead, attackers gained access at the hosting provider infrastructure level, enabling them to intercept and redirect update traffic for a subset of users to attacker-controlled servers.

Independent analysis suggests the activity is consistent with a state-sponsored threat actor, likely of Chinese origin, based on the precision, restraint, and duration of the campaign.

The incident underscores a growing reality in modern cyber operations: software trust chains are now a primary attack surface.

What happened

According to disclosures published alongside the Notepad++ v8.8.9 release, the investigation revealed:

• Attackers compromised a shared hosting environment used by the Notepad++ update service
• The compromise allowed selective redirection of update requests
• Only specific users were targeted, rather than mass distribution
• Malicious update manifests were served from attacker-controlled infrastructure
• No vulnerabilities were found in the Notepad++ source code itself

The attack began as early as June 2025 and persisted intermittently until late 2025, with remediation completed in December.

Hosting provider findings

Following a coordinated incident-response effort involving external security experts, the former hosting provider confirmed several critical findings:

1. Infrastructure compromise

• The shared hosting server was compromised until 2 September 2025
• Kernel and firmware updates on that date appear to have removed attacker access
• No evidence of similar activity was found on other hosting servers

2. Credential persistence

• Despite losing server access, attackers retained internal service credentials until 2 December 2025
• These credentials enabled continued redirection of traffic to malicious update servers

3. Targeted intent

• Logs show the attackers explicitly searched for the Notepad++ domain
• No other tenants on the shared infrastructure were targeted
• The attackers likely understood weaknesses in older update-verification mechanisms

4. Containment and remediation

By 2 December 2025, the hosting provider had:

• Fixed the exploited infrastructure vulnerabilities
• Rotated all compromised credentials
• Attempted re-exploitation was detected and blocked
• Verified no lateral compromise across other hosting environments
  

Timeline overview

Based on combined assessments, the effective compromise window spans June–December 2025.

Why this matters

This incident highlights several critical trends Cybergen observes across modern threat activity:

1. Supply-chain attacks are becoming surgical

The attackers:

• Avoided mass infection
  
• Limited exposure to evade detection
  
• Focused on trust relationships rather than exploit development

This behaviour aligns with state-level operational discipline, not opportunistic cybercrime.

2. Infrastructure is now the weak link

Even with secure code:

• Hosting platforms
  
• Update delivery mechanisms
  
• Credential hygiene
  
• Trust validation

…can all be leveraged to undermine software integrity.

3. Absence of IoCs is not the absence of compromise

Despite analysing ~400GB of server logs, investigators were unable to extract usable Indicators of Compromise, such as:

• IP addresses
  
• Domains
• Malware hashes

This reinforces a key intelligence reality: advanced actors prioritise stealth over noise.

Remediation and security improvements

Hosting changes

• The Notepad++ website has been fully migrated to a new hosting provider
  
• Stronger infrastructure-level security controls are now in place

Update mechanism hardening

From v8.8.9 onward:

• WinGup now verifies both certificate and installer signature
• Update XML responses are cryptographically signed (XMLDSig)

From v8.9.2 (expected imminently):



• Signature and certificate verification will be strictly enforced
  
• Users are advised to manually update to v8.9.1 or later.
  

Cybergen perspective

This incident is not an anomaly. It reflects a broader shift in how advanced threat actors operate:

• Exploiting implicit trust
  
• Targeting delivery pipelines
  
• Bypassing traditional perimeter controls
  
• Operating below detection thresholds

For organisations, this reinforces the need to move beyond vulnerability-centric security models and adopt threat-led, intelligence-driven defence that focuses on:

• Real adversary behaviour
  
• Supply-chain exposure
  
• Credential abuse
  
• Infrastructure trust assumptions
  

Final note

The Notepad++ maintainer has issued a full apology and taken decisive corrective action. Based on the evidence disclosed, the issue appears fully contained.

Ready to strengthen your security posture? Contact us today for more information on protecting your business.