Chinese Hackers Owned Notepad++ Updates for 6 Months
Chinese state-sponsored hackers controlled Notepad++'s update mechanism for six months. From June to December 2025, they selectively poisoned updates for organizations with East/South Asia interests while leaving most users untouched.
This wasn't some script kiddie operation. Security researcher Kevin Beaumont tracked incidents across three organizations where Notepad++ processes became the initial attack vector. The attackers were surgical—intercepting traffic to notepad-plus-plus.org and redirecting only specific targets to malicious servers.
<> "The hosting provider confirmed attackers specifically searched for the Notepad++ domain, exploiting shared server flaws."/>
Here's what makes this attack particularly nasty: shared hosting strikes again. Notepad++ maintainer Don Ho relied on a shared hosting provider for the update infrastructure. The attackers compromised this server in June 2025, giving them control over the WinGUP updater's traffic.
The timeline reveals the persistence problem plaguing open-source security:
1. June 2025: Initial server compromise
2. September 2, 2025: Hosting provider patches servers, loses direct access
3. December 2, 2025: Attackers finally lose internal service credentials
4. February 2, 2026: Don Ho publicly discloses the breach
What's infuriating is how preventable this was. Pre-version 8.8.8, WinGUP would happily download updates from anywhere the compromised server told it to. No signature verification. No certificate pinning. No domain restrictions.
Version 8.8.9 finally added signature verification. Better late than never, but that's six months of exposure.
What Nobody Is Talking About
The enterprise governance failure here is staggering. How many companies allow auto-updates from third-party tools without any verification pipeline? ProSec GmbH called this out directly, highlighting "enterprise update controls" as the missing piece.
Think about your environment right now. How many developers have Notepad++ with auto-updates enabled? How many are running pre-8.8.8 versions? You probably don't know, and that's the real problem.
The targeting pattern reveals sophisticated intelligence gathering. These weren't opportunistic attacks—the hackers knew which organizations to hit based on their Asia interests. That level of reconnaissance suggests this was about espionage, not ransomware.
The shared hosting model is fundamentally broken for critical infrastructure. When you're serving millions of users, you can't piggyback on someone else's security posture. Don Ho's decision to move downloads to GitHub-only is the right call, but it took a six-month compromise to get there.
For CTOs dealing with this mess:
- Audit your developer toolchain immediately
- Block auto-updates at the network level
- Implement software composition analysis
- Consider this your wake-up call on supply chain security
The broader implications extend beyond Notepad++. This follows the same playbook as SolarWinds (2020) and XZ Utils (2024)—target the update mechanism, stay quiet, selectively compromise high-value targets.
Don Ho deserves credit for transparent disclosure, but the delayed timeline raises questions. Attack attribution to Chinese state actors comes from "multiple researchers," though forensic proof remains limited amid current geopolitical tensions.
The real lesson? Your security is only as strong as your weakest dependency. That includes the text editor your developers fire up every morning.
