Notepad++, one of the most widely used free source code editors, has confirmed that it was hit by a serious supply chain attack that allowed hackers to push malicious updates to a small number of users. The project’s maintainer, Don Ho, said the incident was not caused by a bug in Notepad++ itself, but by a compromise at the hosting provider level that was used to serve update traffic.
The issue first came to public attention in December 2025, when security researcher Kevin Beaumont reported that a few organizations had received tampered Notepad++ updates. According to his findings, the victims included telecom and financial services companies in East Asia. It felt like a highly targeted campaign rather than a mass attack
In a detailed disclosure shared this week, Don Ho explained that external security experts and the hosting provider jointly investigated the incident. Their analysis shows that attackers managed to compromise the infrastructure of the shared hosting provider that handled traffic for notepad-plus-plus.org. This allowed the attackers to intercept update requests from specific users and redirect them to attacker-controlled servers that delivered malicious update manifests
investigators found no evidence that Notepad++ source code was altered or that vulnerabilities in the application were exploited. Instead, the attack relied on controlling the delivery path. Only carefully selected users were affected, which strongly points to a state-backed threat actor. Multiple independent researchers believe the group behind the attack is likely sponsored by the Chinese government, based on the level of access, patience, and selective targeting involved
The timeline of the attack is also concerning. The hosting provider determined that the server used by Notepad++ was compromised as early as June 2025. Although scheduled maintenance in early September included kernel and firmware updates, the attackers had already stolen credentials that allowed them to retain access to internal systems until December 2. During this window, they were able to quietly manipulate and update traffic without raising alarms
Notepad++ has since moved its infrastructure to a new hosting provider and introduced stronger client-side protections. Recent versions of the software now perform stricter checks to verify the integrity and authenticity of update files before installing them. These changes are meant to reduce the risk of similar attacks in the future, even if a hosting environment is compromised again
This incident is alarming and raises bigger questions for the software ecosystem. Many open source projects rely on shared hosting providers to keep costs low. While the code may be secure, the infrastructure that delivers updates often does not get the same level of scrutiny. As this case shows, attackers do not always need to find a flaw in the software. Controlling the update pipeline can be enough.
Users should make sure they are running the latest version of Notepad++ downloaded from the official website. Organizations should also review how automatic updates are handled across all critical tools and consider adding extra layers of verification. Supply chain attacks like this tend to stay invisible for months, and by the time they are discovered, the damage is often already done.
