https://notepad-plus-plus.org/news/hijacked-incident-info-update
Chinese state-sponsored threat actors successfully compromised the Notepad++ update infrastructure for nearly half a year, intercepting and redirecting update requests from targeted users to malicious servers that delivered tampered software packages, according to an official announcement from the developer. The attack, which security researchers attribute to the sophisticated Chinese APT group Lotus Blossom, also known as Raspberry Typhoon, exploited security weaknesses in the update verification controls of older Notepad++ versions to selectively target specific users. The breach affected the popular open-source text and source code editor used by tens of millions of Windows users worldwide, with multiple independent security researchers confirming the campaign’s narrow targeting scope consistent with state-sponsored operations.
The compromise began in June 2025 when attackers breached a hosting provider’s server running the Notepad++ update application, enabling them to perform targeted traffic redirections to their malicious infrastructure. The threat actors temporarily lost access in early September when the server underwent kernel and firmware updates, but quickly regained their foothold using previously stolen internal service credentials that had not been rotated. The attackers maintained persistent access until December 2, 2025, when the hosting provider finally detected and terminated the breach. Security researchers have warned that at least three organisations experienced these update hijacks followed by hands-on network reconnaissance activity, highlighting the sophisticated post-compromise operations conducted by the attackers.
Notepad++ responded by releasing version 8.8.9 in December to address the security vulnerability in its WinGUp update tool, implementing cryptographic signature verification for both installer certificates and update manifests to prevent future tampering. The developer has since migrated to a new hosting provider with enhanced security measures, rotated all potentially compromised credentials, and plans to enforce mandatory certificate signature verification in the upcoming version 8.9.2 expected within a month.