🛡️Satisfaction guaranteed

Deepthix
← Back to blog
techFebruary 2, 2026

Notepad++ Hijacked: The Supply-Chain Attack Hiding in Updates

Between June and Dec 2025, state-linked actors hijacked Notepad++ update traffic. No app-code bug—an infrastructure-level supply-chain hit. Here’s what to change in your ops, now.

What happened (and why it matters) Notepad++ is the “simple” tool everyone installs without thinking. That’s exactly why it’s a great target.

On Feb 2, 2026, Notepad++ published an incident update confirming that attackers hijacked the update path for some users—not by exploiting a bug in Notepad++ itself, but via an infrastructure-level compromise at a shared hosting provider. Source: the official Notepad++ incident update page.

The key detail: malicious actors were able to intercept and redirect update traffic intended for notepad-plus-plus.org, selectively serving malicious update manifests from attacker-controlled infrastructure.

This is a modern supply-chain attack: you don’t get popped because you downloaded a sketchy EXE—you get popped because a trusted app offers an “update” that no longer comes from the real source.

Timeline, in plain English From the official Notepad++ write-up and the hosting provider’s statement quoted there:

  • Incident start: June 2025.
  • Component involved: getDownloadUrl.php, used by the update module (WinGUp) to retrieve the download URL.
  • Root cause: shared-hosting server compromise enabling traffic manipulation.
  • The server appears to have been compromised until Sept 2, 2025, when scheduled maintenance (kernel + firmware updates) occurred; after that, logs didn’t show the same patterns—suggesting attackers lost direct access.
  • However, attackers may have retained credentials to internal services on that server until Dec 2, 2025, which could still enable redirection of some traffic to attacker servers.
  • Dec 9, 2025: Notepad++ v8.8.9 shipped with stronger update verification (as summarized by security coverage such as CybersecurityNews).

Net: roughly a 6-month exposure window (June → December 2025), with a “direct access” phase and a “residual access via credentials” phase.

“State-sponsored” isn’t just a scary label Independent researchers assessed the threat actor is likely linked to a Chinese state-sponsored group, partly because the campaign was highly selective—targeting certain users rather than going broad. (This selective targeting is highlighted in public security coverage, including CybersecurityNews.)

That pattern looks like espionage (stealth, persistence, careful victim selection) more than smash-and-grab cybercrime.

Business translation: “we’re too small to be targeted” is sometimes true—until you’re in someone else’s supply chain, or you operate in a sector/region that’s strategically interesting.

The painful truth: it wasn’t a Notepad++ code bug This matters because many teams respond the wrong way: they patch the app and ignore the system.

The official statement is clear: the compromise happened at the hosting provider level, not via a vulnerability in Notepad++ source code.

Lesson #1: your security is only as strong as your most “ops” dependency—hosting, DNS, build pipelines, distribution, update scripts, CDNs, and credential hygiene.

Open source isn’t “less secure.” It’s just more transparent. Similar incidents happen to closed vendors too—you just may never hear about them.

How the attack works: the “update manifest” angle The described technique: targeted users were redirected to attacker-controlled update manifests. If you control the manifest (or the URL it returns), you effectively control what the client downloads.

Public analysis suggests versions prior to 8.8.9 didn’t enforce strict enough signature/certificate validation in the update flow, making interception far more dangerous. (CybersecurityNews summary.)

  • HTTPS alone is not enough if the attacker can manipulate infrastructure or internal services.
  • Real defense is end-to-end cryptographic verification: even if content is served from a “legit” domain, the client must reject anything not properly signed.

Real-world impact: who got hit? According to reporting summarized in recent security feeds, at least three organizations (telecom and finance in East Asia) confirmed incidents tied to Notepad++’s update mechanism being abused. (BeyondMachines, as referenced in the provided web results.)

  • selective attacks leave fewer artifacts,
  • many orgs never disclose,
  • unmanaged endpoints (personal laptops, forgotten VMs) are visibility black holes.

If your company uses Notepad++: what to do now Practical mode.

1) Update—but do it cleanly - Upgrade to at least v8.8.9 (ideally the latest stable). Update-flow hardening matters. - If you manage a fleet: avoid user-driven “click to update.” Centralize via Intune/SCCM/Chocolatey/Winget policies.

2) Disable auto-update where you don’t control the path For sensitive endpoints: - disable auto-update, - deploy from an internal repository, - keep a predictable patch cadence.

Less convenient, more controllable.

3) Verify signatures (and automate it) Concretely: - ensure Notepad++ binaries are digitally signed and the certificate chain is valid, - hash + allowlist approved versions.

  • a PowerShell script checks signature + hash,
  • a scheduled job reports drift to your SIEM.

4) Watch outbound traffic for weirdness Update hijacks often show up as: - outbound connections to unknown domains, - executable downloads from non-standard URLs, - new binaries executed from %TEMP%.

No EDR? Start small: Windows logs + Sysmon + a few simple detection rules.

If you maintain software: an anti-hijack checklist Notepad++ won’t be the last project targeted. If you ship software (open source or not), here’s the no-BS list.

1) Don’t run critical update components on shared hosting The official incident points to shared hosting risk.

  • you share resources,
  • you inherit third-party security posture,
  • one compromise can affect multiple tenants.
  • separate marketing site from update infrastructure,
  • isolate update services on dedicated infra,
  • enforce least privilege everywhere.

2) Mandatory signing + client-side pinning Your updater should reject: - unsigned manifests, - unsigned binaries, - “valid” signatures from unexpected issuers (depending on your trust model).

3) Make builds traceable and auditable - reproducible builds when possible, - SBOMs, - provenance/attestations (SLSA, Sigstore)—not as checkbox theater, but to raise attacker cost.

4) Have incident response ready before the incident Notepad++ coordinated with external experts and facilitated direct comms with the hosting provider—good.

  • a public security contact,
  • a process to rotate keys/certs fast,
  • a kill switch to disable updates quickly.

The founder lesson: your real risk isn’t “AI”—it’s sloppy ops People sell fear: “AI will hack your business.” Reality: most incidents are boring and operational: - dependencies, - updates, - shared access, - lingering credentials, - no monitoring.

  • automatic software inventory + vulnerable-version alerts,
  • an internal app distribution pipeline,
  • automated signature/hash verification before deployment,
  • IR playbooks (disable updates, rotate secrets, block DNS).

You save time, reduce risk, and stop paying overpriced “process” theater.

Sources - Notepad++ — “Hijacked by State-Sponsored Hackers” (Feb 2, 2026): https://notepad-plus-plus.org/news/hijacked-incident-info-update/ - Notepad++ — v8.8.9 release (referenced by the incident post): https://notepad-plus-plus.org/news/v889-released/ - Security coverage summary: CybersecurityNews (Feb 2, 2026): https://cybersecuritynews.com/notepad-hijacked/

---

Want to automate your operations with AI? Book a 15-min call to discuss.

Notepad++supply chain attackWinGUpupdate hijackingcybersecurity

Want to automate your operations?

Let's discuss your project in 15 minutes.

Book a call