Users of the widely utilized Notepad++ code and text editor may have unknowingly installed malicious software after its update servers were hijacked for approximately six months last year. Developer Don Ho announced details of the compromise, stating the attackers were "likely a Chinese state-sponsored group" and that the vulnerability persisted from June through December 2nd, 2025, according to a report by The Verge.
The attack exploited the application’s unnamed hosting provider, selectively redirecting traffic from targeted users to attacker-controlled servers. These compromised servers delivered malicious update manifests, which could replace the legitimate app update with a harmful executable file. Cybersecurity expert Kevin Beaumont indicated this malware may have provided hackers with remote access to a victim's keyboard.
Ho’s statement specified that the targeting was highly selective, suggesting the threat actors were not broadcasting the attack widely. Beaumont noted that the affected individuals he consulted were organizations with specific interests related to East Asia. This focus implies a espionage objective rather than a generalized malware distribution campaign.
All unauthorized access to the update mechanism was reportedly terminated by December second, though the exact date the developer discovered the breach remains unspecified. To mitigate the risk, the Notepad++ updater has since been reinforced with stronger security protocols to verify update legitimacy and check for tampering.
Users are strongly advised to update to at least version 8.8.9, which specifically addressed the vulnerabilities introduced by the hijacking incident. Ho recommended downloading this version directly from the official Notepad++ website to ensure integrity, rather than relying on automated checks alone.
Beaumont also provided supplementary security guidance, urging users to verify they are not running unofficial builds of the application. Furthermore, users should monitor activity related to the updater process, specifically "gup.exe," and check their system's TEMP folder for suspicious "update.exe" or "AutoUpdater.exe" files.
This incident follows past geopolitical tension involving the software; Ho had previously released a "Free Uyghur" edition in 2019, attracting noted DDoS attacks against his website at that time, as reported by The Verge.
