Notepad++ Update System Hijacked by Chinese Hackers; Developers Urged to Secure Software.
Notepad++ Update Hijacked by Chinese State Hackers for Months: What Developers Need to Know
Popular Windows text editor Notepad++ has confirmed that its software update mechanism was compromised by suspected Chinese state-sponsored hackers from June to December 2025, exposing targeted users to malicious updates.[1][2][3][5] The breach, announced by developer Don Ho on February 2, 2026, involved intercepting update traffic and redirecting select users to attacker-controlled servers serving tampered files.[1][3][4]
How the Attack Unfolded
Attackers exploited vulnerabilities in Notepad++’s WinGUP updater, which prior to version 8.8.8 (mid-November 2025) allowed downloads from unhardened sources beyond GitHub.[3][4] They compromised the project’s shared hosting server, gaining access as early as June 2025, according to logs from the hosting provider.[1][3] Even after the server was secured on September 2, 2025, via kernel and firmware updates, hackers retained credentials for internal services until December 2, enabling continued traffic redirection.[3][4]
The method was sophisticated: attackers sat within the ISP chain to selectively intercept rare requests to notepad-plus-plus.org, redirecting them to malicious servers with fake update manifests.[1][3] Security researcher Kevin Beaumont first flagged suspicious activity in early December 2025, linking Notepad++ processes to breaches at three East Asia-focused organizations in telecom and finance.[3][4] He attributed it to Chinese actors like Zirconium (Violet Typhoon), noting hands-on-keyboard reconnaissance starting two months prior.[3]
Notepad++’s official post estimates the compromise spanned June through December 2, 2025, ending definitively after credential revocation on November 10.[4][5] Independent experts confirmed the state-sponsored nature, citing narrow targeting that aligns with Chinese cyber operations.[1][2][4]
Why Notepad++ Was a Prime Target
Notepad++ powers countless Windows dev environments, servers, and sysadmin workflows due to its feature-rich edge over stock Notepad.[1] Its ubiquity made it ideal for supply chain attacks, where tampering one tool infects many systems.[3][6] Victims showed “targeted” activity, sparing broad user bases while hitting high-value East Asian entities—likely due to geopolitical interests.[1][3][4]
This fits a pattern of Chinese-linked espionage: CISA recently warned of long-term intrusions into US critical networks, and similar groups have spied on UK officials.[4] Hosting provider statements reveal attackers specifically hunted notepad-plus-plus.org, aware of updater flaws like missing integrity checks pre-version 8.8.9.[3]
Notepad++’s Response and Fixes
Developer Don Ho acted swiftly post-discovery. Key patches include:
– Version 8.8.8: Restricted updates to GitHub only.[3]
– Version 8.8.9: Added file integrity and authenticity validation.[3]
The project now uses stronger signature checks, slamming the door on redirections.[2][4] Ho credited external researchers and the host for investigations, emphasizing the attack’s end.[5] Beaumont praised the handling on Mastodon, calling it a “great job.”[4]
Steps for Users and Enterprises
Most users likely escaped unscathed due to selective targeting, but vigilance is essential—especially for IT pros.[1][3] Check these indicators:
– gup.exe network requests to domains other than notepad-plus-plus.org, github.com, or release-assets.githubusercontent.com.[3]
– Unexpected processes from installers.[3]
– Suspicious files like update.exe or AutoUpdater.exe in user TEMP folders.[3]
Verify your Notepad++ version is legitimate and updated. Enterprises packaging Notepad++ should block unauthorized updates.[3] Scan for malware mimicking the tool, common in wild.[3]
| Check | Action | Why It Matters |
|---|---|---|
| Updater Domains | Monitor gup.exe traffic | Detects redirections to attacker servers[3] |
| Spawned Processes | Review installer logs | Flags malicious payloads[3] |
| TEMP Files | Hunt update.exe/AutoUpdater.exe | Evidence of tampered installs[3] |
| Version Integrity | Confirm via GitHub | Ensures no fakes[3][6] |
Broader Implications for Supply Chain Security
This incident underscores supply chain risks in open-source tools: even niche flaws can enable nation-state ops.[2][6] Shared hosting amplified exposure, as one server’s breach hijacked trusted updates.[3] It echoes SolarWinds-scale tactics but hyper-targeted.[4]
Developers should prioritize:
– Hardened updaters with pinned domains and signatures.
– Zero-trust verification.
– Incident transparency, as Notepad++ exemplified.[5]
As Chinese actors evolve—exploiting QR phishing or Cisco training—tools like Notepad++ highlight defensive urgency.[4] Stay patched, monitor anomalies, and follow outlets like BleepingComputer for developments.[1]
(Word count: 812)
Original source: TechCrunch – Notepad++ says Chinese government hackers hijacked its software updates for months