Suspected attack by Chinese state-sponsored hackers has compromised the update mechanism of Notepad++, a popular text and source code editor. The software’s maintainer, Don Ho, confirmed the incident on Monday, noting that the attackers hijacked the update process by breaching the project’s shared hosting server and redirecting traffic intended for notepad-plus-plus.org.
The timeline of this attack appears to have begun in June 2025, with security researcher Kevin Beaumont revealing in December that multiple organizations had experienced security incidents connected to Notepad++ processes. He indicated that three specific organizations, focused on interests in East Asia, had been targeted with reports of thorough reconnaissance activities carried out by the attackers in the prior months.
The breach exploited vulnerabilities in Notepad++’s updater mechanism, called WinGUP. Until the release of version 8.8.8 in mid-November 2025, the updater code did not adequately prevent alterations to the source from which updates are downloaded. After this version, the updates could only be downloaded from GitHub. Moreover, prior to version 8.8.9, the updater lacked integrity checks to verify the authenticity of the downloaded files.
Beaumont highlighted that since traffic to notepad-plus-plus.org is relatively low, hackers might have successfully redirected users at the ISP level, allowing malicious updates to be delivered. The attack was attributed to a group known as Zirconium, also referred to as Violet Typhoon, believed to be connected to Chinese state-sponsored activities.
While the shared hosting server remained compromised until September 2, 2025, the malicious actors retained access to internal service credentials up until early December, posing ongoing risks of traffic redirection to compromised update servers. The hosting provider confirmed it has since remedied the vulnerabilities that were exploited.
In response to the breach, Notepad++ has migrated its website to a new hosting provider and enhanced the WinGUP updater with improved validation processes, ensuring that downloaded installers are both verified for certificate and signature authenticity. Furthermore, starting with upcoming version 8.9.2, the XML file containing download URLs will be signed, strengthening security measures against future attacks.
Although Notepad++ is widely used by IT and development professionals globally, this incident targeted select organizations. Beaumont advised against panic, suggesting that businesses monitor specific behaviors, such as unauthorized network requests related to gup.exe and unexpected processes spawned by the installer. Organizations managing the Notepad++ installation may also consider restricting access to the Notepad++ website or placing limits on gup.exe’s internet connectivity.
As Notepad++ takes robust steps to bolster its security infrastructure, this incident serves as a crucial reminder of the need for vigilance in the face of evolving cyber threats.