A state-sponsored cyber criminal compromised Notepad++’s update service in 2025, according to the project’s author.
The admission comes after version 8.8.9 of the text editor was released on December 9. The “hardened” version verified the signature and certificate of downloaded installers during the update process. On December 27, version 8.9 was released, which dropped the use of a self-signed certificate. The project said: “Only the legitimate certificate issued by GlobalSign is now used to sign Notepad++ release binaries. We strongly recommend that users who previously installed the self-signed root certificate remove it.”
Today, in a post titled “Notepad++ Hijacked by State-Sponsored Hackers,” Notepad++ confirmed the app had fallen victim to miscreants.
The exact details of the mechanism used in the exploit remain under investigation, but the problem stems from a compromised hosting server and inadequate update verification controls in older versions of the editor. According to a Notepad++:
“Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests.”
The incident began in June, according to Notepad++. The shared hosting service was compromised until September 2, and even after losing access, the attackers retained credentials for internal services until December 2. While investigations indicate the attack ended on November 10, Notepad++’s author wrote: “I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated.”
Security researcher Kevin Beaumont noted something was afoot on December 2. “I’ve heard from 3 orgs now who’ve had security incidents on boxes with Notepad++ installed, where it appears Notepad++ processes have spawned the initial access. These have resulted in hands on keyboard threat actors.”
Beaumont said the update mechanism had the potential for tampering, with the potential for a redirection of the download. He also noted, however, that the “activity appears very targeted,” with the limited number of victims he spoke to having interests in East Asia.
The Notepad++ author wrote that several independent security researchers reckon the threat actor was likely a Chinese state-sponsored group, “which would explain the highly selective targeting observed during the campaign.”
Chinese cyberspies have a lengthy track record when it comes to computer and network intrusion. In December, CISA warned that individuals from the country wormed their way into critical US networks, maintaining access for years in some cases.
The Register contacted the author of Notepad++ for more information and will update this piece should any be forthcoming. In the meantime, it would be prudent to check and remove the previously installed Notepad++ root certificate, and manually download and install the latest release.
Beaumont commended Notepad++, saying on Mastodon: “Notepad++ dev did a great job treating issue seriously.”
As for Notepad++, the apologies were profuse. The project’s website has since moved to a new hosting provider “with significantly strong practices” and the update process has been hardened. “Certificate & signature verification will be enforced starting with upcoming v8.9.2, expected in about one month.”
“With these changes and reinforcements, I believe the situation has been fully resolved. Fingers crossed.” ®