news

Notepad++ Update System Hijacked by Chinese Hackers; Developers Urged to Secure Software.

· Livio Andrea Acerbo

Notepad++ Update System Hijacked by Chinese Hackers; Developers Urged to Secure Software.

Notepad++ Update Hijacked by Chinese State Hackers for Months: What Developers Need to Know

Popular Windows text editor Notepad++ has confirmed that its software update mechanism was compromised by suspected Chinese state-sponsored hackers from June to December 2025, exposing targeted users to malicious updates.[1][2][3][5] The breach, announced by developer Don Ho on February 2, 2026, involved intercepting update traffic and redirecting select users to attacker-controlled servers serving tampered files.[1][3][4]

How the Attack Unfolded

Attackers exploited vulnerabilities in Notepad++’s WinGUP updater, which prior to version 8.8.8 (mid-November 2025) allowed downloads from unhardened sources beyond GitHub.[3][4] They compromised the project’s shared hosting server, gaining access as early as June 2025, according to logs from the hosting provider.[1][3] Even after the server was secured on September 2, 2025, via kernel and firmware updates, hackers retained credentials for internal services until December 2, enabling continued traffic redirection.[3][4]

The method was sophisticated: attackers sat within the ISP chain to selectively intercept rare requests to notepad-plus-plus.org, redirecting them to malicious servers with fake update manifests.[1][3] Security researcher Kevin Beaumont first flagged suspicious activity in early December 2025, linking Notepad++ processes to breaches at three East Asia-focused organizations in telecom and finance.[3][4] He attributed it to Chinese actors like Zirconium (Violet Typhoon), noting hands-on-keyboard reconnaissance starting two months prior.[3]

Notepad++’s official post estimates the compromise spanned June through December 2, 2025, ending definitively after credential revocation on November 10.[4][5] Independent experts confirmed the state-sponsored nature, citing narrow targeting that aligns with Chinese cyber operations.[1][2][4]

Why Notepad++ Was a Prime Target

Notepad++ powers countless Windows dev environments, servers, and sysadmin workflows due to its feature-rich edge over stock Notepad.[1] Its ubiquity made it ideal for supply chain attacks, where tampering one tool infects many systems.[3][6] Victims showed “targeted” activity, sparing broad user bases while hitting high-value East Asian entities—likely due to geopolitical interests.[1][3][4]

This fits a pattern of Chinese-linked espionage: CISA recently warned of long-term intrusions into US critical networks, and similar groups have spied on UK officials.[4] Hosting provider statements reveal attackers specifically hunted notepad-plus-plus.org, aware of updater flaws like missing integrity checks pre-version 8.8.9.[3]

Notepad++’s Response and Fixes

Developer Don Ho acted swiftly post-discovery. Key patches include:
Version 8.8.8: Restricted updates to GitHub only.[3]
Version 8.8.9: Added file integrity and authenticity validation.[3]

The project now uses stronger signature checks, slamming the door on redirections.[2][4] Ho credited external researchers and the host for investigations, emphasizing the attack’s end.[5] Beaumont praised the handling on Mastodon, calling it a “great job.”[4]

Steps for Users and Enterprises

Most users likely escaped unscathed due to selective targeting, but vigilance is essential—especially for IT pros.[1][3] Check these indicators:
gup.exe network requests to domains other than notepad-plus-plus.org, github.com, or release-assets.githubusercontent.com.[3]
– Unexpected processes from installers.[3]
– Suspicious files like update.exe or AutoUpdater.exe in user TEMP folders.[3]

Verify your Notepad++ version is legitimate and updated. Enterprises packaging Notepad++ should block unauthorized updates.[3] Scan for malware mimicking the tool, common in wild.[3]

Check Action Why It Matters
Updater Domains Monitor gup.exe traffic Detects redirections to attacker servers[3]
Spawned Processes Review installer logs Flags malicious payloads[3]
TEMP Files Hunt update.exe/AutoUpdater.exe Evidence of tampered installs[3]
Version Integrity Confirm via GitHub Ensures no fakes[3][6]

Broader Implications for Supply Chain Security

This incident underscores supply chain risks in open-source tools: even niche flaws can enable nation-state ops.[2][6] Shared hosting amplified exposure, as one server’s breach hijacked trusted updates.[3] It echoes SolarWinds-scale tactics but hyper-targeted.[4]

Developers should prioritize:
– Hardened updaters with pinned domains and signatures.
– Zero-trust verification.
– Incident transparency, as Notepad++ exemplified.[5]

As Chinese actors evolve—exploiting QR phishing or Cisco training—tools like Notepad++ highlight defensive urgency.[4] Stay patched, monitor anomalies, and follow outlets like BleepingComputer for developments.[1]

(Word count: 812)


Original source: TechCrunch – Notepad++ says Chinese government hackers hijacked its software updates for months

Comments are closed.

Search

Press Enter to search · Esc to close