Notepad++ Update Servers Hijacked in Targeted Supply Chain Attack

The Notepad++ project has confirmed that attackers quietly hijacked its software update infrastructure in a targeted campaign that allowed malicious binaries to be served to select users for months. 

Rather than exploiting a flaw in the editor’s code, the attackers compromised backend hosting systems, turning a trusted update channel into a covert delivery mechanism.

The infrastructure-level attack allowed “… malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org,” said Notepad++ in its advisory.

Inside the Notepad++ Update Attack

According to the Notepad++ project and independent forensic analysis, the attack unfolded over a six-month period between June and December 2025 and primarily affected users running older versions of the WinGUp updater. 

Rather than exploiting a vulnerability in the application itself, the attackers compromised the shared hosting infrastructure previously used by notepad-plus-plus[.]org.

Investigators determined that the attackers gained access to the hosting server, enabling them to intercept and manipulate traffic destined for Notepad++ update services. 

Their primary focus was the getDownloadUrl.php script, which WinGUp relies on to retrieve installer download locations. 

By controlling this endpoint, the attackers were able to selectively redirect specific update requests to attacker-controlled servers.

These malicious servers hosted trojanized installers that were delivered in place of legitimate updates. 

The attack succeeded because older versions of WinGUp did not strictly enforce both digital signature validation and certificate matching for downloaded binaries, allowing tampered installers to execute without obvious warnings.

The hosting provider later identified two distinct phases of attacker access. Direct control of the server persisted until Sept. 2, 2025, when a scheduled kernel and firmware update disrupted access. 

Despite this, the attackers maintained persistence by abusing stolen internal service credentials, allowing them to continue redirecting update traffic until early December. The investigators estimated that active exploitation likely ceased in early to mid-November 2025.

Researchers stressed that this was not a broad supply-chain poisoning event. Instead, the campaign was deliberately low-noise and highly selective, targeting specific users rather than indiscriminately pushing malware to the entire install base. 

That operational restraint, combined with long-term persistence and infrastructure control, led investigators to assess the activity as consistent with a state-sponsored threat actor.

How Organizations Can Reduce Supply Chain Risk

The Notepad++ update compromise highlights how trusted software distribution mechanisms can become high-risk attack surfaces when infrastructure or validation controls fail. 

While the project has implemented stronger safeguards, organizations should treat this incident as a broader supply-chain lesson rather than a one-off event. 

Reducing exposure requires a layered defensive approach that extends beyond patching to include visibility, control, and preparedness across the update lifecycle. 

• Patch all Notepad++ installations to version 8.8.9 or later to ensure strict digital signature and certificate validation during updates.
• Centralize software distribution by using internal repositories or endpoint management tools instead of allowing direct updater downloads from external servers.
• Monitor endpoint and network telemetry for unusual installer executions, unexpected download domains, or abnormal updater behavior.
• Enforce application allowlisting and restrict the trust scope of developer tools to limit blast radius if a trusted update channel is abused.
• Apply outbound network controls and certificate validation to detect or block update traffic redirected to unauthorized servers.
• Track and validate known-good installer hashes to identify tampered or unexpected binaries executed on endpoints.
• Test and refine incident response plans for supply-chain and update-mechanism compromise scenarios, including detection, containment, and recovery workflows.

Collectively, these steps help organizations limit the impact of compromised update channels, reduce blast radius, and strengthen overall resilience against supply-chain risks.

Software Updates as a Supply Chain Risk

The Notepad++ incident shows that software update mechanisms deserve the same level of attention as other critical systems. 

Even when application code is secure, gaps in hosting, validation, or distribution can introduce risk through trusted update channels. 

Strengthening controls around update delivery and preparing for compromise scenarios can help organizations limit impact and reduce exposure to future supply-chain issues. 

Incidents like this illustrate why software supply chain security has become a core concern for organizations that rely on third-party tools and automated update channels.