The Notepad++ update mechanism was hijacked by suspected Chinese state-sponsored hackers who silently redirected some users to malicious update servers by compromising the update delivery infrastructure rather than the editor’s source code. The selective “on-path” campaign, active from June to December 2025 and likened to the ShadowHammer ASUS incident, prompted developers to move hosting and release version 8.9.1 with additional security controls, and users were urged to upgrade. #NotepadPlusPlus #ChineseStateActor
Keypoints
- Notepad++’s update mechanism was hijacked to redirect some users to malicious update servers.
- The compromise occurred at the update delivery infrastructure level, not in the editor’s source code.
- Attackers used selective “on-path” redirections, affecting only a subset of users between June and December 2025.
- Independent researchers attributed the activity to a suspected Chinese state-sponsored actor, though attribution is inherently difficult.
- Developers migrated update hosting and released version 8.9.1 with added security controls, urging users to upgrade.
Read More: https://therecord.media/popular-text-editor-hijacked-by-suspected-state-sponsored-hackers