Notepad++'s official updater was hijacked
Contents
what happened
Notepad++‘s official update mechanism, WinGUp, was hijacked and some users’ update traffic was redirected to a malicious server. The attack had been running since June 2025, but it only became public more than half a year later, in December 2025.
The important point is that the Notepad++ codebase itself was not vulnerable. Don Ho, the maintainer, said the compromise happened at the hosting-provider level.
how the attack worked
The attack succeeded because two problems overlapped.
1. the hosting server was compromised
The server hosting the Notepad++ website was breached. That gave the attacker the ability to intercept update traffic directly and redirect it to a fake server.
According to the hosting provider, access to the shared hosting server was abused until September 2, 2025, and internal service credentials were abused until December 2, 2025.
2. WinGUp did not validate downloads strongly enough
The Notepad++ updater did not sufficiently verify the integrity of downloaded files. As a result, if traffic was intercepted at the network layer, a fake binary could be accepted as a legitimate update.
it was targeted
Not every user was affected. The redirection was highly selective, and only specific users were sent to the malicious server. Security researcher Kevin Beaumont said the attack was attributed to a Chinese threat actor.
countermeasures
Users who think they may have been affected should verify the updater source, reinstall from the official site, and inspect their environment for suspicious binaries or persistence. The larger lesson is that update systems need end-to-end integrity checks, not just transport-layer trust.
as a supply chain attack
This is a classic software supply chain incident. The product itself did not need a local code flaw; the attacker only needed to compromise the distribution path. That makes the boundary between “application security” and “infrastructure security” much thinner than many teams assume.