The popular open source plain text editor has become the target of state-sponsored hackers, according to a blog post. The Notepad++ developer released a detailed post-mortem on a severe supply chain attack that occurred between June and December 2025.
By compromising the application’s hosting provider, state-sponsored hackers were able to redirect update traffic to serve malicious files to users of the text editor.
It all started in 2025
When the developer of Notepad++ put out a security warning in December 2025, it was immediately clear that something critical happened. The blog post confirmed that a vulnerability of the updating process had been exploited for some time. Traffic “was occasionally redirected to malicious servers”, which resulted “in the download of compromised executables” according to the message.
The developer released Notepad++ 8.8.9 to address the issue. That version had been hardened according to the report by adding verification steps to the update process. In other words, Notepad++ checks whether the signature and the certificate of the downloaded installer (the new version) check out. If they do not, updating is aborted.
New information comes to light
Today, a new blog post was published that provides detailed information on the incident. Here are the details:
- The Breach Method: The attack was not a vulnerability in the Notepad++ code itself, but a compromise of its hosting provider’s infrastructure.
- The Timeline: The hijacking occurred over a six-month period, starting in June 2025 and lasting until it was discovered and shut down on December 2, 2025.
- State-Sponsored Attribution: Security researchers (including those from HarfangLab and ESET) linked the activity to “Taidoor,” a malware strain associated with Chinese state-sponsored threat actors.
- Targeted Delivery: The attackers used a “Man-in-the-Middle” tactic via the WinGUp updater; however, they did not target every user, instead selectively delivering malicious updates to specific IP addresses or regions.
- Infrastructure Migration: In response, Notepad++ has completely abandoned its previous hosting provider and migrated all binaries and update manifests to a new, more secure infrastructure.
- Enhanced Security Measures: To prevent future incidents, new versions include mandatory signature verification and certificate pinning for all automated updates.
- User Action Required: Users are urged to ensure they are running the latest version of Notepad++ and to be wary of any version installed or updated between the June and December window.
The latest version is Notepad 8.9.1. You can download it from the official website to make sure that a potentially compromised version is replaced.
You can check the installed version by opening Notepad++ and selecting ? > About Notepad++, or by pressing F1.