Notepad++ confirmed a months-long compromise of its update infrastructure in which state-sponsored actors hijacked the update mechanism to deliver malicious payloads to select targets. The project has migrated hosting and overhauled WinGup in version 8.8.9 to add certificate and signature verification and XMLDSig, and it urges users to update immediately. #NotepadPlusPlus #WinGup #NotepadPlusPlusDotOrg #XMLDSig #ChineseStateSponsoredGroup
Keypoints
- The Notepad++ update infrastructure was compromised from June to December 2025, allowing attackers to serve malicious updates to select targets.
- Attackers hijacked the shared hosting provider and redirected traffic from notepad-plus-plus.org to attacker-controlled servers.
- Malicious updates were highly selective, delivered only to specific users, indicating a well-resourced adversary.
- Independent researchers attribute the campaign to a likely Chinese state-sponsored group and found older WinGup lacked sufficient verification.
- Notepad++ migrated hosting, released WinGup changes in version 8.8.9 with certificate/signature checks and XMLDSig, and urges users to update immediately.
Read More: https://securityonline.info/notepad-hijacked-state-sponsored-actors-poisoned-updates-for-months/