“`html
The creator of Notepad++ has verified that a coordinated assault by a presumed Chinese state-sponsored threat entity compromised the project’s previous collective hosting framework between June and December 2025.
The infiltration allowed perpetrators to intercept and selectively reroute update traffic to harmful servers, capitalizing on a flaw in how the application verified update packages prior to the launch of version 8.8.9.
Infrastructure-Level Compromise
Per the forensic investigation performed by external security analysts and the erstwhile hosting provider, the breach transpired at the infrastructure tier rather than via a defect in the Notepad++ code itself. The attackers accessed the shared hosting server, enabling them to intercept requests intended for notepad-plus-plus.org.
The assault specifically targeted the getDownloadUrl.php script utilized by the application’s updater. By seizing control of this endpoint, the adversaries could deliberately redirect particular users to servers under their control that hosted harmful binaries.
These malevolent payloads were delivered instead of the authentic update, exploiting the fact that earlier versions of the updater (WinGUp) did not rigorously impose certificate and signature validation for downloaded installers.
Several independent security researchers have concluded that the operation was probably executed by a Chinese state-sponsored group. The targeting was termed “remarkably selective,” concentrating on specific users instead of a widespread supply-chain infection.
The breach lasted for around six months, with the hosting provider recognizing two distinct stages of unauthorized access:
| Date | Event Description |
|---|---|
| June 2025 | Initial Breach: Attackers gain entry to the shared hosting server. |
| September 2, 2025 | Server Access Lost: A planned maintenance upgrade (kernel/firmware) by the provider terminated the attackers’ direct server access. |
| Sept 2 – Dec 2, 2025 | Credential Persistence: Attackers retained access through stolen internal service credentials, permitting continued traffic redirection despite loss of server authority. |
| November 10, 2025 | Assault Ceased (Estimate): Security specialists observed that the active attack operation seemed to cease around this date. |
| December 2, 2025 | Access Terminated: Hosting provider rotated all credentials and completed security reinforcement, definitively preventing the attackers. |
| December 9, 2025 | Mitigation Released: Notepad++ v8.8.9 launched with strengthened update verification. |
The hosting provider confirmed that no other clients on the shared server were specifically targeted; the attackers focused exclusively on the Notepad++ domain. In response to the incident, the Notepad++ site has been transferred to a new provider with enhanced security measures.
To avert similar hijacking efforts, Notepad++ version 8.8.9 implemented rigorous validation within WinGUp, necessitating both a valid digital signature and a corresponding certificate for any downloaded installer. If these validations fail, the update process is now automatically halted.
Looking forward, the project is adopting the XMLDSig (XML Digital Signature) standard for update manifests. This fortification will guarantee that the XML data returned by the update server is cryptographically signed, preventing tampering with the download URLs. This feature is slated for enforcement in version 8.9.2, projected to be released within the next month.
“`