In a startling revelation that has shaken the open-source community, the developer of Notepad++ officially confirmed on Monday that the popular text editor’s update mechanism was hijacked by state-sponsored attackers. This sophisticated Notepad++ update hijack allowed malicious actors to intercept network traffic and deliver compromised updates to specific targets for nearly six months.
If you are a user of Notepad++, particularly in the telecommunications or financial sectors understanding this threat is critical. Here is everything you need to know about this supply chain attack and how to secure your systems immediately.
The Breach: What Happened?
The incident was first brought to light by Notepad++ maintainer Don Ho, who revealed that the attack was not a flaw in the software’s code itself, but rather an infrastructure-level compromise. According to reports, suspected Chinese state-sponsored attackers managed to breach the project’s shared hosting server.
Inside the infrastructure, the attackers exploited the Notepad++ update hijack mechanism to intercept traffic destined for notepad-plus-plus.org. By manipulating the WinGUP updater, a component responsible for checking and downloading updates, they redirected specific users to malicious servers controlled by the threat group.
You May Also Like: Intrepid Studios Implodes: Team Resign Hit Ashes of Creation
Who Is Behind the Attack?
Security researchers have attributed this campaign to a Chinese nation-state threat actor known as Violet Typhoon (also tracked as Zirconium or APT31).
Victims report hands-on keyboard recon activity… Activity appears very targeted.
Security Researcher Kevin Beaumont, who first identified the anomalies in early December 2025.
Unlike a mass malware outbreak, this Notepad++ update hijack was highly targeted, where the attackers did not infect every user who updated the software. Instead, they targeted the filtered traffic and specifically those organizations having strategic interests in East Asia, particularly those in the telecommunications and financial services sectors.
Timeline of the Attack
The timeline of the Notepad++ update hijack reveals that the attackers had access to the infrastructure for a significant period:
- June 2025: The supply chain compromise begins. Attackers gain access to the shared hosting server.
- September 2, 2025: The hosting provider updates the server’s kernel and firmware, cutting off the attackers’ direct access to the server.
- September – December 2025: Despite losing server access, the attackers maintained valid credentials for internal services. They continued to redirect traffic and exploit the Notepad++ update hijack vector until December 2, when they were finally locked out.
- February 2, 2026: Notepad++ officially discloses the breach and details the remediation efforts.
The Technical Flaw: Why WinGUP Failed
The success of the Notepad++ update hijack relied on a weakness in the updater, known as WinGUP. Before version 8.8.9, the updater did not rigorously validate the integrity and authenticity of the downloaded update file.
Because the updater failed to enforce strict certificate and signature verification, attackers could easily swap the legitimate installer for a malicious one without the software raising an alarm. This critical gap allowed the Notepad++ update to proceed undetected by users who believed that they were simply installing a standard security patch.
Is Your System Compromised?
While this attack was targeted, every user should be vigilant. Kevin Beaumont and other researchers have advised organizations to check their logs for specific indicators of compromise related to the Notepad++ update hijack:
- Check Network Requests: Look for the process
gup.exemaking network requests to domains other thannotepad-plus-plus.orgorgithub.com. - Suspicious Processes: Monitor for unexpected processes spawned by the Notepad++ installer.
- Temp Files: Check for files named
update.exeorAutoUpdater.exeappearing in the user’s TEMP folder, which is a common behavior of the malicious payload.
Note: If you are an enterprise user, you may want to block gup.exe from accessing the internet entirely unless you have robust monitoring in place.
Also Read: Moltbot & Mac Mini Guide: This Duo Is Taking Over AI
How To Fix
In response to the incident, the project’s website has been migrated to a new and secure hosting provider . The development team has also enhanced the WinGUP updater to verify both the certificate and the signature of any downloaded installer.
Hashtechwave Recommendation: Immediate action is required. While v8.8.9 addresses immediate issues, strict certificate and signature verification will be enforced starting with the upcoming v8.9.2 release, which is expected to launch in a month. Ensure you update immediately to stay ahead of these threats.
For the latest updates on this developing story and critical security alerts, bookmark this page and stay tuned to Hashtechwave.
