Notepad++ User Notice: Chinese Hacking Group Spreading Malicious Updates

122.50.***.***
3

Between June and December 2025, the former hosting provider of the open source text editor Notepad++ was attacked, and it is reported that update traffic was redirected to some malicious servers.


After the incident, the hosting provider has been changed,

and it is also reported that the program has been modified internally to validate all certificates and signatures of downloaded installers.

The attackers are mentioned as likely being an organization receiving state-level support from China.

("likely a Chinese state-sponsored group")


* Blog post:

https://notepad-plus-plus.org/news/hijacked-incident-info-update/

Summary (TL;DR)
According to the former hosting provider, the shared hosting server was compromised until September 2, 2025. Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers. The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++. All remediation and security hardening were completed by the provider by December 2, 2025, successfully blocking further attacker activity.

According to the former hosting provider, the shared hosting server was compromised until September 2, 2025. Even after losing server access, the attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers.

The attackers specifically targeted the Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++. The provider successfully completed all remediation and security hardening measures by December 2, 2025, successfully blocking further attacker activity.


* Translator's note:

As written above, while the term 'likely' was used regarding the origin from China,

the developer had made related comments in the past regarding Taiwan and Uyghur, and

there is an opinion that these statements may have provoked China and made Notepad++ a target of attack.


* Related Reddit post

https://www.reddit.com/r/sysadmin/comments/1qtihcr/notepad_hijacked_by_statesponsored_hackers

로그인한 회원만 댓글 등록이 가능합니다.

자유게시판

KR | ID | EN
  • IDR
  • KOR
8.34 0.01

2026.07.10 KEB 하나은행 고시회차 1694회

다가오는 한인 행사일정

  • 등록 된 일정이 없어요!