The popular text editor Notepad++ recently disclosed that its update traffic was likely hijacked by state-sponsored threat actors, believed to be from China. This sophisticated supply chain attack reportedly occurred between June and December 2025, affecting users who downloaded or updated the software during this period.
Details of the Compromise
Security researchers and Notepad++ itself confirmed that the attackers did not compromise the software’s code directly. Instead, they targeted the underlying infrastructure responsible for delivering updates. This meant that the trust model for software updates was broken, potentially exposing users even if they followed best practices.
The incident was characterized by highly selective targeting, a hallmark often associated with state-sponsored operations. For nearly half a year, malicious actors rerouted update requests to their own controlled servers, allowing them to potentially distribute compromised versions of the software to specific targets.
What This Means for Users
Users who downloaded or updated Notepad++ between June and December 2025 might have had their systems compromised by this advanced persistent threat. The nature of the attack, focusing on the update mechanism, made it particularly insidious as it bypassed typical software integrity checks.
Recommendations for Notepad++ Users
- Verify Software Integrity: Check the SHA-256, SHA-1, and MD5 hashes of your Notepad++ installation against known-good release hashes provided by the official Notepad++ website. Tools exist to help automate this verification process.
- Review Installed Applications: Consider uninstalling any applications that are not strictly necessary, especially those with auto-update capabilities, to reduce the attack surface.
- Exercise Caution with Auto-Updates: While auto-updates are crucial for security, this incident highlights the risks associated with compromised update infrastructure. Users should remain vigilant and monitor official announcements from software vendors.
The official Notepad++ announcement provides further details and guidance on the incident: Notepad++ Hijacked by State-Sponsored Hackers
