Notepad++’s official update system was compromised in a targeted supply-chain attack. According to the developers, the incident did not stem from a vulnerability in the Notepad++software itself, but from a breach at the infrastructure level involving a third-party hosting provider.
Timeline: The initial compromise is believed to have started in June 2025. The attacker reportedly lost access to the main server by September 2, 2025, but maintained access to internal services used for redirecting updates until December 2, 2025.
Targeting: The attack was highly selective rather than widespread. Malicious updates were delivered only to a limited group of users, with update traffic from specific IP ranges or geographic regions.
Targets
The attack was highly selective. Rather than infecting all Notepad++ users, the attackers targeted specific entities, including:
- Telecommunications and financial organizations.
- Government organizations
- IT service providers.
- Specific individuals in Vietnam, El Salvador, and Australia.
Attribution: Security researchers have attributed the activity to a Chinese nation-state actor known as Violet Typhoon (also tracked as APT31).
Attack Method and Execution
- Attack Mechanism:
Attackers were able to intercept and redirect traffic between the Notepad++ updater (GUP.exe) and the official update server. This tricked the updater into downloading a malicious file instead of a legitimate update.
- Malicious Payloads:
Between July and October 2025, attackers deployed different infection chains. One early payload was a malicious NSIS installer (masquerading as update.exe) that, when executed, would collect system information and send it to a command-and-control serve
Notepad ++ Response and Mitigation
- Safer Infrastructure: Notepad++ moved its website and update systems to a new hosting provider with much stronger security controls.
- Stronger Update Protection: The update mechanism was reinforced with extra verification checks to ensure downloaded files are genuine and cannot be silently redirected.
- Critical Software Update: Users were advised to upgrade to version 8.8.9 or later, which fixes the weakness that allowed the WinGUp updater to be misled by malicious network redirection.
Recommendation
- Update Notepad++: Ensure that you are using the latest version of Notepad++. Manually download the most recent version from the official Notepad++ website to avoid any compromised updates.
- Disable Automatic Updates: Temporarily turn off automatic updates until the update process is confirmed secure.
- Conduct Security Audits: Perform security audits on systems that have used Notepad++ during the affected period to identify any signs of unauthorized access or unusual activity.
- Implement Security Best Practices: Utilize endpoint protection solutions to detect and block potential threats.
.png)
.png)