Home About Courses Live Batches Private Sessions Labs Cyber Bulletin Verify Contact

Login

Advisory on Notepad++ Update Servers Hijacked to Redirect Users to Malicious Servers

Published on: February 2, 2026

Share:
Advisory on Notepad++ Update Servers Hijacked to Redirect Users to Malicious Servers

Overview

Notepad++ disclosed a targeted supply?chain compromise involving its software update infrastructure. Forensic analysis conducted by independent security experts and the former hosting provider confirmed that the incident resulted from an infrastructure?level hijacking, rather than a vulnerability in the Notepad++ application codebase.

Between June 2025 and December 2025, malicious actors gained access to the shared hosting environment used by Notepad++ and leveraged this position to intercept and selectively redirect update traffic destined for notepad-plus-plus.org. The campaign was highly selective, impacting only targeted users rather than the broader user base.

Who It Impacts
This incident impacts:

  • Organizations and individuals using Notepad++ versions prior to 8.8.9
  • Systems that relied on the WinGUp automatic update mechanism
  • Targeted environments in sectors such as:
    • Government
    • Telecommunications
    • Financial services
    • Software development and IT operations

The targeting methodology suggests intentional victim selection, consistent with advanced threat activity, rather than indiscriminate malware distribution.

How It Impacts
Infrastructure?Level Hijacking

According to the forensic analysis conducted by independent security experts and the former hosting provider, the compromise occurred at the infrastructure level, rather than through a vulnerability in the Notepad++ codebase itself. The attackers gained access to the shared hosting server, which allowed them to intercept update requests destined for notepad-plus-plus.org.

The attack specifically targeted the getDownloadUrl.php script used by the Notepad++ updater (WinGUp). By controlling this endpoint, threat actors were able to selectively redirect specific users to attacker?controlled servers hosting malicious binaries. These malicious payloads were served in place of legitimate updates, exploiting the fact that older versions of WinGUp did not strictly enforce digital certificate and signature validation for downloaded installers.

Multiple independent security researchers have assessed that this campaign was likely conducted by a Chinese state?sponsored threat actor, based on the high degree of selectivity, operational discipline, and persistence observed during the attack.

Timeline of Compromise

DateEvent Description
Jun-25Initial Compromise: Attackers gained access to the shared hosting server.
2-Sep-25Server Access Lost: Scheduled kernel/firmware maintenance severed direct attacker access.
Sept 2 – Dec 2, 2025Credential Persistence: Attackers retained stolen internal service credentials, allowing continued traffic redirection.
10-Nov-25Attack Ceased (Estimated): Security experts observed a halt in active malicious redirection.
2-Dec-25Access Terminated: Hosting provider rotated all credentials and completed security hardening.
9-Dec-25Mitigation Released: Notepad++ v8.8.9 published with hardened update verification.

The hosting provider confirmed that no other clients on the shared infrastructure were targeted; the attackers specifically focused on the Notepad++ domain. Following the incident, the Notepad++ project migrated to a new hosting provider with enhanced security controls.

Targeted Products

  • Notepad++ for Windows
    • Versions earlier than 8.8.9
  • WinGUp (Notepad++ Update Mechanism)
    • Versions lacking enforced certificate and signature validation

Manual downloads from the official website were not affected, as the compromise targeted the update delivery mechanism only.

Recommendations

Immediate Actions

 

  • Upgrade immediately to Notepad++ version 8.8.9 or later
  • Prefer version 8.9.1 or newer where available
  • Review systems that updated Notepad++ between June and December 2025

Enterprise Security Controls

 

  • Disable or restrict automatic updates via WinGUp in managed environments
  • Monitor outbound traffic from:
    • notepad++.exe
    • gup.exe
  • Investigate systems for:
    • Unknown persistence mechanisms
    • Unexpected installer execution from %TEMP%
    • Signs of command?and?control traffic

Long?Term Mitigation

To prevent similar hijacking attempts, Notepad++ version 8.8.9 introduced strict update validation within WinGUp, requiring:

  • A valid digital signature
  • A matching and trusted certificate

If either verification fails, the update process is automatically aborted, significantly reducing the risk of update?based supply?chain attacks.

References

 


 

← Back to all bulletins