- Notepad++ targeted in sophisticated supply-chain style attack via compromised hosting server
- Attackers delivered tainted updates to select victims, exploiting weak update verification controls
- Breach lasted from June to December 2025, likely tied to Chinese state-sponsored actors, prompting migration to new hosting and hardened update verification
Notepad++ has confirmed it was the victim of a highly targeted and sophisticated cyberattack, most likely conducted by a Chinese state-sponsored threat actor.
In a security notice published on the project’s website, the company explained attackers managed to compromise the shared hosting provider’s server, and used it to deliver tainted updates to a handful of carefully selected victims.
“We discovered the suspicious events in our logs, which indicate that the server could have been compromised,” the notice said, citing information from the hosting provider. “Based on our logs, we see no other clients hosted on this particular server being targeted. The bad actors specifically searched for [Notepad++] domain with the goal to intercept the traffic to your website, as they might know the then-existing Notepad++ vulnerabilities related to insufficient update verification controls.”
Highly targeted, sophisticated attack
The project’s developer explained that an external investigation also determined that the breach took place in June 2025, with the attackers retaining access until September 2025, when a patch kicked them out.
However, since they retained the credentials, they were allowed to continue with the attacks until early December 2025, when a password rotation finally stopped the intrusion.
The attacks did not involve Notepad++’s code in any way. Instead, they used server access to deliver tainted patches to carefully picked targets. According to the investigators the attackers, most likely Chinese state-sponsored ones, engaged in “highly selective” targeting.
“The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++,” the notice reads. “All remediation and security hardening were completed by the provider by December 2, 2025, successfully blocking further attacker activity.”
It is not known which particular group was behind this attack, nor who it was targeting. However, Notepad++ migrated to a new hosting provider, and the updater itself was updated to v8.8.9 to verify both the certificate and the signature of the download installer. Furthermore, the XML returned by the update server is now signed as well, and the certificate & signature verification will be enforced starting with upcoming v8.9.2, expected in about one month.
➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.