Notepad++ hijacked by suspected state-sponsored hackers

A software update mechanism for the popular text editor Notepad++ was hijacked by suspected Chinese state-sponsored hackers, allowing them to silently redirect some users to malicious update servers, the project’s developers announced on Monday.

In a security update posted on the project’s website, the development team said the attack did not exploit a flaw in the editor’s source code itself. Instead, the compromise occurred at the infrastructure level, involving systems used to deliver software updates.

The attackers were able to “intercept and redirect update traffic destined for notepad-plus-plus.org” stated the team, adding that the “exact technical mechanism remains under investigation.”

Notepad++, a free and open-source editor widely used by tech workers, has millions of users worldwide. The incident underscores ongoing concerns about the security of software supply chains, even for well-established open-source projects.

Unlike many supply-chain attacks, which involve tampering with source code repositories, the Notepad++ incident relied on redirecting network traffic after it left a user’s computer but before it reached the legitimate update server.

Such “on-path” attacks can be difficult to detect and may leave limited forensic evidence, particularly when they affect only a narrow set of users.

Similar tactics have been observed in previous incidents. In 2018, hackers compromised the update delivery infrastructure for ASUS in what researchers called the ShadowHammer campaign. As cybersecurity firm SentinelOne noted, although the malicious updates were distributed to potentially hundreds of thousands of systems, the attackers appeared interested in only a few hundred specific targets.

The Notepad++ developers said their incident followed a similar pattern, with update traffic “selectively redirected” for certain users rather than deployed broadly. The team emphasized the campaign was not a mass attack and did not affect all users, though it did not disclose how many systems were ultimately targeted.

The hijacking began in June 2025 and continued until December, according to the developers. They cited assessments by multiple independent security researchers who concluded the activity was likely linked to a Chinese state-sponsored threat actor, though the researchers and their methods were not publicly identified.

Such attributions are typically based on infrastructure reuse, targeting behavior and operational characteristics rather than direct evidence, and remain difficult to verify conclusively.

The developers said the project has since moved its update infrastructure to a new hosting provider and introduced additional security controls in version 8.9.1 to harden the update mechanism. Users have been urged to upgrade as a precaution.

“I deeply apologize to all users affected by this hijacking,” the author of the security notice wrote.