The Notepad++ Supply Chain Attack: Is Your Text Editor Compromised?

2026-02-02 · 2 min read

Decode credential

Figure 1: Notepad++

If you work in IT or software development, Notepad++ is likely a staple in your toolkit. However, between June and December 2025, a sophisticated supply chain attack turned this trusted tool into a potential security risk.

Understanding the Compromise

The official investigation revealed that the Notepad++ hosting server was compromised until September 2, 2025. Even after losing direct server access, attackers used stolen credentials to maintain control over internal services until December 2, 2025. This allowed them to redirect update traffic to malicious servers for months.

The hackers specifically exploited the Notepad++ domain to target weak update verification in older versions. While active redirection likely ended around November 10, the provider confirmed potential access remained until December 2, when all systems were finally hardened and credentials were rotated.

Key Security Findings

  • Selective Redirection: The attack was highly targeted, focusing on telecom and financial organizations in East Asia rather than every single user.
  • Updater Vulnerability: In versions older than v8.8.8, the WinGUp tool could be tricked into pulling updates from malicious URLs.
  • Verification Gaps: Versions prior to v8.8.9 did not strictly check digital signatures or the authenticity of update files.
  • Infrastructure Hijack: The Notepad++ source code remained safe. The attackers simply took over the delivery system to distribute poisoned binaries.

How to Protect Your System

If you updated the app during the second half of 2025, take these steps immediately:

  • Check for AutoUpdater.exe: Search your %TEMP% folder. The real updater is GUP.exe. If you see AutoUpdater.exe, your system was likely targeted.
  • Manual Update: Don't use the in-app update button for older versions. Download v8.8.9 or higher directly from notepad-plus-plus.org.
  • Verify Signatures: Right-click the app icon, go to Properties, and check the Digital Signatures tab. It must be signed by "Notepad++" with a valid certificate.

The Bottom Line

Notepad++ has now moved to a more secure hosting provider and enforced stricter certificate checks. This incident is a reminder that even the best tools require constant vigilance. Always verify your software sources to keep your environment clean.

References

Notepad++ Hijacked by State-Sponsored Hackers