top of page
Search

Notepad++ Official Update Mechanism Exploited to Deliver Malware

  • Feb 2
  • 2 min read

Key Findings


  • The maintainer of Notepad++ has revealed that state-sponsored attackers hijacked the utility's update mechanism to redirect update traffic to malicious servers.

  • The attack involved an infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org.

  • The compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself.

  • The incident is assessed to have commenced in June 2025, more than six months before it came to light.

  • The attacks were attributed to a nation-state threat actor known as Violet Typhoon (aka APT31), targeting telecommunications and financial services organizations in East Asia.


Background


The development comes a little over a month after Notepad++ released version 8.8.9 to address an issue that resulted in traffic from WinGUp, the Notepad++ updater, being "occasionally" redirected to malicious domains, resulting in the download of poisoned executables.


Specifically, the problem stemmed from the way the updater verified the integrity and authenticity of the downloaded update file, allowing an attacker who is able to intercept network traffic between the updater client and the update server to trick the tool into downloading a different binary instead.


It's believed this redirection was highly targeted, with traffic originating from only certain users routed to the rogue servers and fetching the malicious components.


Update Process Hardened


In response to the security incident, the Notepad++ website has been migrated to a new hosting provider with "significantly strong practices," and the update process has been hardened with additional guardrails to ensure its integrity.


According to the former hosting provider, the shared hosting server was compromised until September 2, 2025. Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers.


Recommendations


Found this article interesting? Follow us on Google News, Twitter, and LinkedIn to read more exclusive content we post.


Sources


  • https://thehackernews.com/2026/02/notepad-official-update-mechanism.html

  • https://thehackernews.com/2026/02/escan-antivirus-update-servers.html

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page