The Notepad++ Update Hack: What Went Down and Why It Matters

Ryan Dasgeek

2 min read
The Notepad++ Update Hack: What Went Down and Why It Matters

More information is still coming out but this is what we’ve put together so far based on the information available to-date.

Back in mid-2025, Notepad++, a staple for code development, was caught in the crosshairs of a sophisticated nation-state attack. While the software itself remained secure, the delivery system was hijacked, turning a trusted tool into a silent delivery vehicle for spyware.

The Attack on the Infrastructure

What makes this hack particularly devious is that it didn't target the Notepad++ source code. Instead, the attackers went after the infrastructure level. The update server, which was managed by a shared hosting provider (later identified as likely being Hostinger or a reseller using their infrastructure), was compromised.

Notepad++ is a "high-value" target because of its user base. It’s installed on the machines of developers and sysadmins…the very people who hold the keys to sensitive codebases and production servers.

Precision Targeting: The Ghost in the Update

Picture this: You’re a developer working late. You see a notification for a Notepad++ update. Being security-savvy, you know that keeping software patched is Rule #1, so you click "Update."

Normally, your machine pings notepad-plus-plus.org to check the getDownloadUrl.php script. But between June and December 2025, that path was compromised. However, the hackers weren't greedy. If they had sent "poison" to everyone, they would have been caught in days. Instead, they used a scrubbed list of IP addresses to target specific entities, primarily telecommunications and financial organizations in East Asia.

If you weren't on the list, you got a clean update. If you were, your WinGUp updater was redirected to an attacker-controlled server that served a Trojanized installer. This precision allowed the campaign to remain undetected for nearly six months, "ghosts in the shell" from June until early December. Yes, I had to put a anime reference in there.

The Aftermath and the "Why"

While the attackers lost direct server access in September 2025 due to a kernel and firmware update, they had already exfiltrated internal service credentials. This allowed them to continue the redirection until December 2, 2025, when the breach was finally terminated.

Was it the Notepad++ team's fault? Partially.

The Flaw: Older versions of the WinGUp updater lacked robust signature verification and token handshakes. It essentially "blindly" trusted the URL provided by the server.

The Fix: Notepad++ has since migrated to a new hosting provider with significantly tighter security and hardened the updater. Starting with version 8.8.9 and 8.9.1, the system now enforces digital signature verification for all update manifests.

As of now, this compromise appears to have exclusively impacted Windows users, as the WinGUp tool is specific to that platform.

Lessons Learned for Developers

This hack serves as a stark reminder that your security is only as strong as your weakest dependency, including your hosting.

Audit Your Infrastructure: Shared hosting is cost-effective, but for high-stakes software, dedicated and hardened environments are a must.

Sign Everything: Packages and update manifests must be signed and verified on the client side to prevent man-in-the-middle or server-side redirection.

Credential Hygiene: Once a server is breached, assume all internal service credentials are toast. Rotating them immediately is non-negotiable.

Notepad++ is a survivor, but this incident shows that even the most "boring" text editor is a tier-one target for nation-state espionage. There are a lot of lessons here but one that everyone should be included (though not specific to this hack) is that installing extensions in IDE’s and text-editors is another huge exploit vector that’s ripe for a massive hack, if there isn’t already ghosts in the shell.

Read more