Notepad++ update system compromised in potential state-sponsored attack

The trusted update infrastructure of the widely used Notepad++ software was compromised, allowing attackers to potentially distribute malicious binaries to users. This breach occurred not due to vulnerabilities in the software itself, but through a compromise at the hosting provider level. The incident, which began in June 2025 and continued in various forms until at least December 2, 2025, involved attackers intercepting update traffic and redirecting users to malicious servers, as reported by HackRead.

Attackers gained control of the hosting environment for notepad-plus-plus[.]org, manipulating update traffic to serve malware. The breach persisted for months, even after initial access was disrupted, with attackers retaining credentials to internal services. Investigations suggest a deliberate targeting of Notepad++ users, potentially indicating a state-sponsored operation due to the precision and patience involved. The full extent of the damage, including the number of affected users and distributed malware, remains unclear, but the software's broad use across personal, academic, and enterprise environments raises concerns about significant downstream impacts.

This incident underscores the critical risks associated with supply chain attacks and the susceptibility of trusted software distribution channels. Notepad++ has migrated its services to a new provider and implemented enhanced update validation measures, including signature and certificate verification.

Source: HackRead