A new cybersecurity report has revealed that hackers exploited the Notepad++ updater to conduct a months-long targeted cyberattack against select users, raising fresh concerns over software supply-chain security. The developer of Notepad++ has confirmed that the operation was carried out by a Chinese state-sponsored threat group.
According to TechCrunch, attackers intercepted and selectively redirected update requests, steering certain users towards malicious servers and delivering tampered update information. The breach is believed to have begun in June 2025 and continued until early December.
The attack was reportedly focused on specific victims. Security experts assisting the investigation said that the highly selective redirections affected only chosen systems rather than the wider Notepad++ user base.
The perpetrators are said to have exploited weaknesses in older versions of Notepad++’s WinGUp update tool, which lacked sufficient verification checks for update files.
Developer Don Ho said the “exact technical mechanism” by which the hackers broke into his servers remains under investigation. In the blog, Ho noted that Notepad++’s website was hosted on a shared hosting server. The attackers “specifically targeted” Notepad++’s web domain to exploit a bug in the software and redirect some users to a malicious server run by the hackers.
This allowed them to deliver malicious updates to certain users who had requested a software update until the bug was fixed in November, and the hackers’ access was terminated in early December.
“We do have logs indicating that the bad actor tried to re-exploit one of the fixed vulnerabilities; however, the attempt did not succeed after the fix was implemented,” Ho wrote. According to security researcher Kevin Beaumont, who first discovered the cyberattack in December, the hackers compromised a small number of organizations “with interests in East Asia” after someone unwittingly used a tainted version of the popular software.
Beaumont said that the hackers were able to gain “hands-on” access to the computers of victims who were running hijacked versions of Notepad++.
Notepad++ has migrated its infrastructure to a new hosting provider. The team has also rotated potentially exposed credentials, patched vulnerabilities, and reviewed logs to confirm that the malicious activity has ceased.
The project previously released version 8.8.9 in December to address issues in the WinGUp updater. Since that release, installer certificates and signatures have been verified, and the updated XML files are cryptographically signed.
Ho urged users to download the most recent version of his software, which contains a fix for the bug. Frequent users should strengthen their security posture by changing SSH, FTP/SFTP, and MySQL credentials, reviewing WordPress administrator accounts, removing unnecessary users, and allowing automatic updates for core software, plugins, and themes.
In 2019-2020, hackers targeted Notepad++, affecting SolarWinds customers, a software company that makes IT and network management tools for large Fortune 500 organizations. Russian government spies invaded the company’s servers, secretly planting a backdoor in its software that allowed the spies to access data on customers’ networks once the update had rolled out.
The SolarWinds breach affected several government agencies, such asHomeland Security and the Departments of Commerce, Energy, Justice, and State.
Also Read: Best Cybersecurity Gadgets and Privacy Devices for Consumers in 2026
Notepad++ is one of the longest-running open source projects, spanning more than two decades. It has counted at least tens of millions of downloads to date, including by employees at organizations around the world.
These recent cyberattacks underscore a growing and deeply concerning trend in which trusted software channels are weaponized to bypass traditional security defences. It highlights the broader risks associated with software supply chains for widely used developer tools.
For users and organizations alike, it serves as a reminder to prioritize verifying updates, monitoring endpoints, and conducting timely security audits. As attackers grow more sophisticated, strengthening trust mechanisms around software updates will be critical to preventing similar attacks in the future.