Between June and December 2025, the former hosting provider of the open source text editor Notepad++ was attacked, and it is reported that update traffic was redirected to some malicious servers.
After the incident, the hosting provider has been changed,
and it is also reported that the program has been modified internally to validate all certificates and signatures of downloaded installers.
The attackers are mentioned as likely being an organization receiving state-level support from China.
("likely a Chinese state-sponsored group")
* Blog post:
https://notepad-plus-plus.org/news/hijacked-incident-info-update/
Summary (TL;DR)
According to the former hosting provider, the shared hosting server was compromised until September 2, 2025. Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers. The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++. All remediation and security hardening were completed by the provider by December 2, 2025, successfully blocking further attacker activity.
According to the former hosting provider, the shared hosting server was compromised until September 2, 2025. Even after losing server access, the attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers.
The attackers specifically targeted the Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++. The provider successfully completed all remediation and security hardening measures by December 2, 2025, successfully blocking further attacker activity.
* Translator's note:
As written above, while the term 'likely' was used regarding the origin from China,
the developer had made related comments in the past regarding Taiwan and Uyghur, and
there is an opinion that these statements may have provoked China and made Notepad++ a target of attack.
* Related Reddit post
https://www.reddit.com/r/sysadmin/comments/1qtihcr/notepad_hijacked_by_statesponsored_hackers