The Notepad++ developer says Chinese state-sponsored actors hijacked update traffic by compromising a hosting provider and selectively redirecting certain users to malicious servers from June until the breach was detected in December 2025. Notepad++ has migrated hosting, rotated credentials, fixed WinGUp verification, released v8.8.9, and recommends users change credentials and update affected components. #NotepadPlusPlus #WinGUp
Keypoints
- Chinese state-sponsored actors likely hijacked Notepad++ update traffic between June and December 2025.
- Attackers intercepted and selectively redirected update requests to malicious servers using a hosting provider compromise.
- The campaign exploited weak update verification in older WinGUp versions to serve tampered update manifests.
- Notepad++ released v8.8.9 with installer certificate and signature verification and plans mandatory checks in v8.9.2.
- Users are advised to rotate SSH/FTP/MySQL credentials, review WordPress accounts, update plugins/themes, and check for signs of compromise.