Notepad++ update service hijacked in targeted state-linked attack
(2026/02/02)
- Reference: 1770038367
- News link: https://www.theregister.co.uk/2026/02/02/notepad_plusplus_intrusion/
- Source link:
A state-sponsored cyber criminal compromised Notepad++'s update service in 2025, according to the project's author.
The admission comes after version 8.8.9 of the text editor was [1]released on December 9. The "hardened" version verified the signature and certificate of downloaded installers during the update process. On December 27, version 8.9 was [2]released , which dropped the use of a self-signed certificate. The project said: "Only the legitimate certificate issued by GlobalSign is now used to sign Notepad++ release binaries. We strongly recommend that users who previously installed the self-signed root certificate remove it."
Today, in a [3]post titled "Notepad++ Hijacked by State-Sponsored Hackers," Notepad++ confirmed the app had fallen victim to miscreants.
[4]
The exact details of the mechanism used in the exploit remain under investigation, but the problem stems from a compromised hosting server and inadequate update verification controls in older versions of the editor. According to a Notepad++:
[5]
[6]
"Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests."
The incident began in June, according to Notepad++. The shared hosting service was compromised until September 2, and even after losing access, the attackers retained credentials for internal services until December 2. While investigations indicate the attack ended on November 10, Notepad++'s author wrote: "I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated."
[7]
Security researcher Kevin Beaumont [8]noted something was afoot on December 2. "I've heard from 3 orgs now who've had security incidents on boxes with Notepad++ installed, where it appears Notepad++ processes have spawned the initial access. These have resulted in hands on keyboard threat actors."
Beaumont said the update mechanism had the potential for tampering, with the potential for a redirection of the download. He also noted, however, that the "activity appears very targeted," with the limited number of victims he spoke to having interests in East Asia.
The Notepad++ author wrote that several independent security researchers reckon the threat actor was likely a Chinese state-sponsored group, "which would explain the highly selective targeting observed during the campaign."
[9]China-linked group accused of spying on phones of UK prime ministers' aides – for years
[10]Moscow likely behind wiper attack on Poland's power grid, experts say
[11]QR codes a powerful new phishing weapon in hands of Pyongyang cyberspies
[12]Researcher claims Salt Typhoon spies attended Cisco training scheme
Chinese cyberspies have a lengthy track record when it comes to computer and network intrusion. In December, [13]CISA warned that individuals from the country wormed their way into critical US networks, maintaining access for years in some cases.
The Register contacted the author of Notepad++ for more information and will update this piece should any be forthcoming. In the meantime, it would be prudent to check and remove the previously installed Notepad++ root certificate, and manually download and install the latest release.
[14]
Beaumont commended Notepad++, [15]saying on Mastodon : "Notepad++ dev did a great job treating issue seriously."
As for Notepad++, the apologies were profuse. The project's website has since moved to a new hosting provider "with significantly strong practices" and the update process has been hardened. "Certificate & signature verification will be enforced starting with upcoming v8.9.2, expected in about one month."
"With these changes and reinforcements, I believe the situation has been fully resolved. Fingers crossed." ®
Get our [16]Tech Resources
[1] https://notepad-plus-plus.org/news/v889-released/
[2] https://notepad-plus-plus.org/news/v89-released/
[3] https://notepad-plus-plus.org/news/hijacked-incident-info-update/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aYDYNHq8HkUz349Gi50I1QAAAQc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYDYNHq8HkUz349Gi50I1QAAAQc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYDYNHq8HkUz349Gi50I1QAAAQc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYDYNHq8HkUz349Gi50I1QAAAQc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9
[9] https://www.theregister.com/2026/01/27/chinalinked_hackers_accused_of_yearslong/
[10] https://www.theregister.com/2026/01/26/moscow_likely_behind_wiper_attack/
[11] https://www.theregister.com/2026/01/09/pyongyangs_cyberspies_are_turning_qr/
[12] https://www.theregister.com/2025/12/11/salt_typhoon_cisco_training/
[13] https://www.theregister.com/2025/12/04/prc_spies_brickstorm_cisa/
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYDYNHq8HkUz349Gi50I1QAAAQc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://mastodon.social/@GossiTheDog@cyberplace.social/116000625318191390
[16] https://whitepapers.theregister.com/
The admission comes after version 8.8.9 of the text editor was [1]released on December 9. The "hardened" version verified the signature and certificate of downloaded installers during the update process. On December 27, version 8.9 was [2]released , which dropped the use of a self-signed certificate. The project said: "Only the legitimate certificate issued by GlobalSign is now used to sign Notepad++ release binaries. We strongly recommend that users who previously installed the self-signed root certificate remove it."
Today, in a [3]post titled "Notepad++ Hijacked by State-Sponsored Hackers," Notepad++ confirmed the app had fallen victim to miscreants.
[4]
The exact details of the mechanism used in the exploit remain under investigation, but the problem stems from a compromised hosting server and inadequate update verification controls in older versions of the editor. According to a Notepad++:
[5]
[6]
"Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests."
The incident began in June, according to Notepad++. The shared hosting service was compromised until September 2, and even after losing access, the attackers retained credentials for internal services until December 2. While investigations indicate the attack ended on November 10, Notepad++'s author wrote: "I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated."
[7]
Security researcher Kevin Beaumont [8]noted something was afoot on December 2. "I've heard from 3 orgs now who've had security incidents on boxes with Notepad++ installed, where it appears Notepad++ processes have spawned the initial access. These have resulted in hands on keyboard threat actors."
Beaumont said the update mechanism had the potential for tampering, with the potential for a redirection of the download. He also noted, however, that the "activity appears very targeted," with the limited number of victims he spoke to having interests in East Asia.
The Notepad++ author wrote that several independent security researchers reckon the threat actor was likely a Chinese state-sponsored group, "which would explain the highly selective targeting observed during the campaign."
[9]China-linked group accused of spying on phones of UK prime ministers' aides – for years
[10]Moscow likely behind wiper attack on Poland's power grid, experts say
[11]QR codes a powerful new phishing weapon in hands of Pyongyang cyberspies
[12]Researcher claims Salt Typhoon spies attended Cisco training scheme
Chinese cyberspies have a lengthy track record when it comes to computer and network intrusion. In December, [13]CISA warned that individuals from the country wormed their way into critical US networks, maintaining access for years in some cases.
The Register contacted the author of Notepad++ for more information and will update this piece should any be forthcoming. In the meantime, it would be prudent to check and remove the previously installed Notepad++ root certificate, and manually download and install the latest release.
[14]
Beaumont commended Notepad++, [15]saying on Mastodon : "Notepad++ dev did a great job treating issue seriously."
As for Notepad++, the apologies were profuse. The project's website has since moved to a new hosting provider "with significantly strong practices" and the update process has been hardened. "Certificate & signature verification will be enforced starting with upcoming v8.9.2, expected in about one month."
"With these changes and reinforcements, I believe the situation has been fully resolved. Fingers crossed." ®
Get our [16]Tech Resources
[1] https://notepad-plus-plus.org/news/v889-released/
[2] https://notepad-plus-plus.org/news/v89-released/
[3] https://notepad-plus-plus.org/news/hijacked-incident-info-update/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aYDYNHq8HkUz349Gi50I1QAAAQc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYDYNHq8HkUz349Gi50I1QAAAQc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYDYNHq8HkUz349Gi50I1QAAAQc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYDYNHq8HkUz349Gi50I1QAAAQc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9
[9] https://www.theregister.com/2026/01/27/chinalinked_hackers_accused_of_yearslong/
[10] https://www.theregister.com/2026/01/26/moscow_likely_behind_wiper_attack/
[11] https://www.theregister.com/2026/01/09/pyongyangs_cyberspies_are_turning_qr/
[12] https://www.theregister.com/2025/12/11/salt_typhoon_cisco_training/
[13] https://www.theregister.com/2025/12/04/prc_spies_brickstorm_cisa/
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYDYNHq8HkUz349Gi50I1QAAAQc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://mastodon.social/@GossiTheDog@cyberplace.social/116000625318191390
[16] https://whitepapers.theregister.com/
MR
ZenaB
The link to Kevins blog thing in the article has some details - https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9
aidanstevens
It did feel like something was up! The past few months it has taken longer than expected to check for a new version via the auto updater.
Good adivce but unclear what to do with it
Always Right Mostly
"In the meantime, it would be prudent to check and remove the previously installed Notepad++ root certificate, and manually download and install the latest release."
Ok, and how-to if it applies? I use only the portable version whicj shows it's GlobalSign ceritificate.
Anonymous Coward
6 months to notice and then another 2 months to notify their install base is shocking in 2025/6.
Also looks like they were hosted on a shared VPS.
Add these in:
https://github.com/notepad-plus-plus/notepad-plus-plus/issues/4071
https://github.com/notepad-plus-plus/notepad-plus-plus/issues/16806
Sorry chaps - appreciate all your hard work with this, but you're just not fit for purpose in 2026. We live in dangerous times, and you're still stuck in the 1990s.
We've wiped it on all our managed computers after this news and blocked the binary from being able to be run. Anyone who continues using this for anything beyond hobby projects on a personal PC needs their bumps feeling.
Impact?
Hi, I read the linked post on the Notepad++ site, but am can't find any references to what the implications are. Should we be looking for other malware installation? Port manipulation? etc. Anybody have more specific info?