The maintainer of Notepad++ has revealed that state-sponsored attackers hijacked the utility’s replace mechanism to redirect replace site visitors to malicious servers as a substitute.
“The assault concerned [an] infrastructure-level compromise that allowed malicious actors to intercept and redirect replace site visitors destined for notepad-plus-plus.org,” developer Don Ho stated. “The compromise occurred on the internet hosting supplier stage reasonably than by way of vulnerabilities in Notepad++ code itself.”
The precise mechanism by way of which this was realized is presently being investigated, Ho added.
The event comes just a little over a month after Notepad++ launched model 8.8.9 to deal with a problem that resulted in site visitors from WinGUp, the Notepad++ updater, being “sometimes” redirected to malicious domains, ensuing within the obtain of poisoned executables.
Particularly, the issue stemmed from the way in which the updater verified the integrity and authenticity of the downloaded replace file, permitting an attacker who is ready to intercept community site visitors between the updater consumer and the replace server to trick the device into downloading a distinct binary as a substitute.
It is believed this redirection was extremely focused, with site visitors originating from solely sure customers routed to the rogue servers and fetching the malicious parts. The incident is assessed to have commenced in June 2025, greater than six months earlier than it got here to mild.
Impartial safety researcher Kevin Beaumont revealed that the flaw was being exploited by menace actors in China to hijack networks and deceive targets into downloading malware. In response to the safety incident, the Notepad++ web site has been migrated to a brand new internet hosting supplier.
“Based on the previous internet hosting supplier, the shared internet hosting server was compromised till September 2, 2025,” Ho defined. “Even after shedding server entry, attackers maintained credentials to inner companies till December 2, 2025, which allowed them to proceed redirecting Notepad++ replace site visitors to malicious servers.”
