A months-long supply chain attack that affected the Notepad++ update process has been linked to a compromise of shared hosting infrastructure rather than a flaw in the software's code. This according to an ongoing investigation involving external security experts and the project's former hosting provider.
An advisory published by the developer on February 2 said the incident involved the redirection of update traffic intended for notepad-plus-plus.org to attacker-controlled servers.
In some cases, users downloading updates through WinGUp, the built-in updater, were served malicious manifests that pointed to compromised executables. The issue was first publicly disclosed alongside the Notepad++ v8.8.9 release in December 2025.
Attack Exploited Hosting Infrastructure
Security analysts concluded that attackers gained access at the hosting provider level, enabling them to intercept and manipulate traffic bound for the Notepad++ update endpoint. No vulnerabilities were identified in the Notepad++ codebase itself. Instead, the attackers abused weaknesses in how update integrity was verified in older versions of the software.
"This is a concerning attack that offered state sponsored actors the ability to carry out an infrastructure level compromise," said Donnan Mallon, threat intelligence analyst at Talion. "This allowed attackers to gain access to the shared hosting server, which let them intercept requests meant for notepad-plus-plus.org."
According to multiple independent researchers, the attackers selectively targeted the Notepad++ domain rather than other customers hosted on the same server. This highly focused activity has led analysts to assess that the threat actor was likely a Chinese state-sponsored group.
The compromise is believed to have begun in June 2025. Logs reviewed by the former hosting provider indicate that direct server access by the attackers ended on September 2, 2025, following scheduled kernel and firmware updates. However, credentials associated with internal services remained exposed until December 2, 2025, allowing continued traffic redirection after server access was lost.
"This is a supply chain compromise, which highlights why supply chain risk continues to rank among the highest-impact issues in frameworks like the OWASP Top 10," commented Michael Jepson, penetration testing manager at CybaVerse. "The weakness was not in the application code, but higher up the trust chain."
The hosting provider stated that no similar malicious patterns were found on other servers and that no additional customers were affected. All exposed credentials were rotated, vulnerabilities were patched and further exploitation attempts were blocked by early December.