Notepad++ has fixed a serious security issue after hackers hijacked its update system to deliver targeted malware. The incident involved attackers secretly manipulating how software updates were delivered to certain users. Instead of receiving legitimate updates, selected victims were redirected to malicious servers. The issue has now been officially addressed, and a secure update has been released.

Notepad++ logo representing the software affected by a security breach involving hijacked update servers.

The attack did not affect the core Notepad++ source code. Instead, hackers compromised the hosting infrastructure that handled update requests. By gaining access to this system, they were able to control how update information was delivered. This allowed them to send harmful installers disguised as genuine updates.

According to official disclosures, the intrusion began in June 2025. Although direct server access was reportedly lost in early September, the attackers retained certain credentials. Using these credentials, they continued manipulating update responses until December 2025. This made the campaign long-running and difficult to detect.

Glowing malware bug icon on a microchip symbolizing a supply-chain cyberattack targeting trusted software distribution channels.

Security researchers believe the operation was linked to a China-nexus threat group. Reports suggest the attackers were state-sponsored and focused on specific high-value targets. Organizations in government, telecommunications, and critical infrastructure sectors were reportedly among the targets. The attack was not broad and random but carefully targeted.

The compromise is classified as a supply-chain attack. In such attacks, hackers misuse trusted software distribution channels to spread malware. Because users trust automatic updates, they rarely suspect anything unusual. This makes update systems an attractive target for advanced threat actors.

Silhouette hacker accessing a server rack symbolizing compromised update infrastructure in the Notepad++ supply-chain attack.

The attackers exploited weaknesses in the older update mechanism, including the WinGUp updater tool. Previous versions did not fully verify update files before execution. This gap allowed manipulated installers to pass through as legitimate updates. Once executed, the malicious files could run with normal user privileges.

In response, the Notepad++ maintainer strengthened the update verification process. The latest version, 8.9.2, introduces additional security checks before any update is installed. Both the update manifest and installer signatures are now strictly verified. This “double-verification” approach is designed to prevent similar attacks in the future.

Illustration of hands reaching from laptops to manipulate a digital document, representing malicious installers disguised as legitimate software updates.

Users are strongly advised to update to version 8.9.2 directly from the official Notepad++ website. Organizations are encouraged to review systems that installed updates between June and December 2025. Security experts emphasize that trusted update systems must be continuously protected. This incident highlights how even popular software can become a target if update channels are compromised.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news