Notepad++: Updater takeover by state actors
Attackers had specifically delivered malware to systems using the Notepad++ updater. Investigations point to state actors.
(Image: heise medien)
Following the patching of a previously exploited security vulnerability in the update mechanism by a Notepad++ update in December, investigation results on the incidents are now available. According to these, state actors are likely behind the attacks.
In a blog post, Notepad++ developer Don Ho reports on the investigation results. Ho, along with external IT experts and the now former hosting provider, investigated the incident. “According to the security experts' analysis, the attack involved an infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic for Notepad++,” Ho explains. “The exact technical mechanism is under further investigation, but it is clear that the compromise occurred at the hosting provider level rather than through vulnerabilities in the Notepad++ code itself,” he further elaborates. This selectively redirected traffic from specific and targeted users to servers controlled by the attackers, which delivered malicious update manifests.
Notepad++: Timeline of the attack
The incident began in June 2025. “Several independent IT security researchers conclude that the malicious actors belong to a group controlled by China. This would explain the highly selective targeting observed in the campaign,” Ho writes. The IT security expert proposed an emergency plan, which he pursued together with the hosting provider. The provider then issued its statement on the incident.
According to the provider, the shared hosting server was compromised until September 2, 2025. On that day, the provider maintained the machine and, in the process, updated the firmware and kernel; thereafter, no further attack patterns could be detected. “Although the malicious actors lost access to the server on September 2, 2025, they had credentials for internal services on the server until December 2, 2025. This would have allowed them to redirect traffic to 'https://notepad-plus-plus.org/getDownloadUrl.php' to their servers and deliver a compromised update download URL,” the hosting provider states. According to logs, the attackers specifically searched for Notepad++ and no other projects. On December 2, the systems were secured, for example, by closing vulnerabilities and changing passwords.
While the attacks appear to have stopped on November 10, 2025, according to the IT security expert's findings, Dan Ho estimates that further attacks were at least possible until December 2. He apologizes to all affected parties. To address this significant security issue, Ho has moved the Notepad++ website to a new hosting provider that implements significantly stronger security practices. Within Notepad++, he has enhanced the WinGup updater in version 8.8.9 to check certificates and signatures of the downloaded installer. The XML returned by the update URL is now also signed. Notepad++ will enforce its verification starting with the upcoming version 8.9.2, expected next month. “With these changes and reinforcements, I believe the situation is fully resolved. I'm crossing my fingers,” Ho concludes the analysis.
Videos by heise
Last December, it became known that the Notepad++ updater had installed malware on some PCs. The cleanup took some time. At the end of December, Dan Ho then cleared out, for example, remnants of previously used self-signed certificates.
(dmk)
