State-Sponsored Hackers Hijacked Notepad++ Updates
▼ Summary
– Suspected Chinese state-sponsored attackers compromised Notepad++’s update mechanism by hijacking its shared hosting server and redirecting update traffic.
– The attackers exploited security weaknesses in the Notepad++ updater (WinGUP), which before version 8.8.8 allowed the update source to be changed and before 8.8.9 did not validate update file integrity.
– The highly targeted attack primarily affected telecommunications and financial services organizations in East Asia, with initial access traced to compromised Notepad++ processes.
– The hosting server was compromised from June 2025 until September 2, 2025, but attackers maintained credentials to potentially redirect traffic until December 2, 2025.
– In response, the Notepad++ website was migrated, the updater now verifies certificates and signatures, and organizations are advised to monitor for suspicious network activity and processes.
A sophisticated supply chain attack targeting the popular text editor Notepad++ has been linked to a suspected Chinese state-sponsored hacking group. The attackers compromised the software’s update mechanism by hijacking its shared hosting server, allowing them to intercept and redirect traffic to deliver malicious updates. Notepad++ maintainer Don Ho confirmed the incident, revealing that the attackers exploited vulnerabilities in the software’s update infrastructure over several months.
The attack timeline suggests the compromise began in June 2025. Security researcher Kevin Beaumont initially reported in early December that he knew of three organizations, with interests in East Asia, that experienced security incidents traced back to Notepad++ processes. These incidents provided the attackers with initial access to computers. Beaumont noted the activity was highly targeted, with victims reporting hands-on-keyboard reconnaissance starting roughly two months prior.
The attackers leveraged security weaknesses in the Notepad++ updater, known as WinGUP. Before version 8.8.8, released in mid-November 2025, the updater’s code was not sufficiently hardened, making it possible to change the source from which updates were downloaded. Additionally, before version 8.8.9, the updater did not validate the integrity or authenticity of downloaded files. This allowed the threat actors to intercept network traffic between the updater client and the Notepad++ update servers, substituting a legitimate update with a malicious one.
Beaumont explained that because traffic to the official Notepad++ domain is relatively rare, it was feasible for a well-resourced actor to sit inside an internet service provider’s chain and redirect it. “To do this at any kind of scale requires a lot of resources,” he noted. The targeted organizations were identified as telecommunications and financial services firms in East Asia. Beaumont attributed the attacks to the Chinese nation-state threat actor known as Zirconium or Violet Typhoon.
According to the software’s hosting provider, the shared server remained compromised until September 2, 2025, when the attackers lost access following kernel and firmware updates. However, the provider warned that the attackers maintained credentials for internal services on that server until December 2. This persistence could have allowed them to continue redirecting traffic from a specific script on the Notepad++ website to their own servers, returning URLs for compromised updates.
The hosting provider stated the attackers specifically searched for the Notepad++ domain, likely aware of the then-existing vulnerabilities related to insufficient update verification controls. The provider has since fixed the vulnerabilities in the shared hosting server and noted that the threat actors attempted, and failed, to re-exploit one of these fixed flaws, suggesting it was their initial point of entry.
In response to the incident, Don Ho outlined several corrective measures. The Notepad++ website has been migrated to a new hosting provider. The WinGUP updater has been enhanced to verify both the certificate and the digital signature of the downloaded installer. Furthermore, the XML file containing the update download URL is now signed, with certificate and signature verification set to be enforced starting with the upcoming version 8.9.2.
While Notepad++ is widely used by IT and development staff globally, this attack appears to have been narrowly focused on specific targets. Beaumont advised organizations not to overreact but to conduct checks for indicators of compromise. These include monitoring the `gup.exe` process for network requests to domains other than the official Notepad++ and GitHub sources, watching for unexpected processes spawned by the installer, and checking for specific files like `update.exe` or `AutoUpdater.exe` in the user’s TEMP folder.
Given that other malicious actors often distribute malware disguised as Notepad++, it is also prudent to verify that installed versions are legitimate. For large enterprises that manage software deployment, Beaumont suggested considering blocking the official Notepad++ domain or preventing the `gup.exe` process from accessing the internet. Blocking internet access from the main `notepad++.exe` process may also be advisable unless robust monitoring is in place for third-party extensions.
(Source: HelpNet Security)
