Users of the text and code editor Notepad++ may have unknowingly downloaded a malicious update to the app after its shared hosting servers were hijacked last year. On Monday, the app’s developer, Don Ho, said posted an update on the attack with more details, including that the hackers were “likely a Chinese state-sponsored group” and that the app’s servers were vulnerable for about six months, from June to December 2, 2025.
The message explains that the hijacking occurred at the app’s unnamed, now former hosting provider, and states that “traffic from certain targeted users was selectively redirected to attacker-controlled malicious update manifests.” When victims were redirected, their app update could be replaced with a malicious executable file that, according to Independent cybersecurity expert Kevin Beaumontmay have given the hackers remote access to a victim’s keyboard.
Don Ho’s post also adds that the attack involved “highly selective targeting” in terms of the victims who were redirected from the legitimate Notepad++ website. Kevin Beaumont noted that the victims he spoke to “are [organizations] with interests in East Asia.” While this is a serious security issue, it is possible that the hackers were monitoring specific people rather than just anyone.
The developer did not specify when they became aware of the attack, but said that “all access to attackers was permanently terminated” on December 2. The Notepad++ updater itself has been updated with stronger security measures to check for tampering and verify that updates are legitimate.
Notepad++ users should make sure they are at least enabled version 8.8.9that addressed the vulnerabilities of the hijack attack, and they should probably download that version directly from the Notepad++ website. Additionally, Kevin Beaumont advised users to double-check that they are not using an unofficial version of Notepad++, closely monitor the activity of “gup.exe,” the app’s updater, and check for a suspicious “update.exe” or “AutoUpdater.exe” file in their TEMP folder.
Notably, Don Ho, the developer of Notepad++, criticized the Chinese government in a 2019 app update. He called that version the “Free Uyghur” edition, and told The edge when his website suffered DDoS attacks in response.
#Notepad #updates #hijacked #months #spying #China