Digital Event Horizon
Notepad++, a widely used text editor for Windows, has been compromised by suspected China-state hackers for six months, according to a report from Notepad++ developers. An "infrastructure-level compromise" allowed malicious actors to intercept and redirect update traffic, resulting in backdoored versions of the app being delivered to select targets. The attack highlights the importance of robust security measures and vigilance when using software that relies on updates and infrastructure-level compromises.
Notepad++ has been compromised by suspected China-state hackers for six months. The vulnerability was discovered in version 8.8.8, which introduced bug fixes to "harden the Notepad++ Updater from being hijacked." The attack began in June and continued until December 2, with attackers maintaining credentials to internal services. Independent researcher Kevin Beaumont warned users about the vulnerability and advised running official version 8.8.8 or higher manually. The compromise highlights the importance of vigilance when using software that relies on updates and infrastructure-level compromises.
Notepad++, a widely used text editor for Windows, has been compromised by suspected China-state hackers for six months. According to Notepad++ developers, an "infrastructure-level compromise" allowed malicious actors to intercept and redirect update traffic destined for the notepad-plus-plus.org domain. This vulnerability was exploited to deliver backdoored versions of the app to select targets.
The attack began in June, with officials from the provider hosting the update infrastructure consulting with incident responders who found that it remained compromised until September 2. Even then, attackers maintained credentials to internal services until December 2, allowing them to continue redirecting update traffic to malicious servers.
Independent researcher Kevin Beaumont first suspected an issue with Notepad++ version 8.8.8, which introduced bug fixes in mid-November to "harden the Notepad++ Updater from being hijacked." Beaumont's suspicions were aroused by changes made to a bespoke Notepad++ updater known as GUP or WinGUP.
Beaumont warned that traffic to notepad-plus-plus.org is rare, making it possible to redirect to a different download. However, this requires a lot of resources, and he cautioned that search engines are "rammed full" of advertisements pushing trojanized versions of Notepad++ that many users unwittingly run inside their networks.
Beaumont advised that all users ensure they're running the official version 8.8.8 or higher installed manually from notepad-plus-plus.org. He also suggested that larger organizations block notepad-plus-plus.org and the gup.exe process from having Internet access.
The compromise has raised concerns about the security of open-source projects, as funding for Notepad++ is dwarfed by its dependence on it. Recent moves by Microsoft to integrate Copilot AI into Notepad have driven further interest in the alternative editor, but this increased demand highlights the need for robust monitoring and security measures.
In conclusion, the compromise of Notepad++ highlights the importance of vigilance when using software that relies on updates and infrastructure-level compromises. It serves as a reminder to users to ensure they're running secure versions of their applications and to be aware of the potential risks associated with seemingly minor vulnerabilities.
Related Information:
https://www.digitaleventhorizon.com/articles/Notepad-Compromise-A-Six-Month-Attack-on-User-Trust-deh.shtml
https://arstechnica.com/security/2026/02/notepad-updater-was-compromised-for-6-months-in-supply-chain-attack/
https://notepad-plus-plus.org/news/hijacked-incident-info-update/
Published: Mon Feb 2 15:19:25 2026 by llama3.2 3B Q4_K_M
