State-Sponsored Hackers Hijack Notepad++ Updates for Months
Paris, Monday, 2 February 2026.
A six-month infrastructure breach allowed Chinese state actors to selectively deliver malicious software updates, targeting specific organizations while remaining undetected by the developers until December.
Anatomy of an Infrastructure Hijack
The developer of the open-source editor, Don Ho, confirmed on Monday that the compromise involved an infrastructure-level breach rather than a flaw in the source code itself [1][8]. The campaign, which began in June 2025, exploited vulnerabilities within the software’s hosting provider to intercept and redirect the automatic update mechanism, known as WinGUp [5][6]. While the initial server compromise was remediated on September 2, 2025, the attackers retained access to internal service credentials, allowing them to continue redirecting traffic until the breach was finally closed on December 2, 2025 [2][5].
Selective Targeting and Espionage
What distinguishes this campaign is its highly selective nature, a hallmark of state-sponsored espionage rather than common cybercriminal activity [1][2]. According to Don Ho, the threat actors did not spray malware indiscriminately; instead, they targeted specific organizations, including entities in the United States that collaborate with the Chinese government, as well as telecommunications and financial firms in East Asia [2][6]. This precision suggests the primary goal was intelligence gathering rather than immediate financial gain.
Closing the Supply Chain Vulnerability
This incident underscores the fragility of the software supply chain, reminiscent of the SolarWinds attack, where trusted update channels are weaponized against users [1]. The attackers were able to redirect traffic because older versions of the software lacked sufficient update verification controls, allowing the substitution of the legitimate installer with a tainted one [6]. Following the discovery, Notepad++ migrated its website to a new hosting provider and rotated all relevant credentials to sever the attackers’ access [5][7].
Sources
- techcrunch.com
- www.securityweek.com
- thehackernews.com
- notepad-plus-plus.org
- www.pcmag.com
- www.bleepingcomputer.com
- therecord.media