Notepad++-Update-System-Hack-illustrated

Notepad++ Supply Chain Attack

/ News and Events / By

Notepad++ Supply Chain Attack: Malware Delivered via Official Updates

Notepad++ disclosed that its official update mechanism was compromised in a targeted supply chain attack, allowing malicious updates to be delivered to a small group of users rather than the wider user base. The incident did not stem from a flaw in the text editor’s source code, but from weaknesses in the update delivery and hosting infrastructure, which attackers exploited to redirect update traffic. The issue has since been contained, with the Notepad++ team strengthening update verification and urging users to manually update to the latest secure version and verify digital signatures as a precaution.

What Happened

  • The official update mechanism for Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users — a widely used open source text editor — was compromised by state sponsored attackers.
  • Instead of vulnerabilities in Notepad++ itself being exploited, the compromise occurred at the hosting provider level. Attackers were able to intercept and redirect update traffic to malicious servers.

Who Was Responsible

  • Security researchers and multiple reports link the campaign to a suspected Chinese state sponsored threat actor based on targeting patterns and technical sophistication.
  • Independent analysts mentioned groups like Violet Typhoon (aka APT31) as likely behind the effort.

How Long It Lasted

  • The attack appears to have started in June 2025 and continued in various forms through December 2,2025.
  • During this period, attackers maintained access via stolen internal credentials even after losing direct server control.

Who Was Targeted

  • Rather than a broad, indiscriminate attack, the malicious updates were highly targeted at selected users — including organizations in East Asia in telecom and financial sectors.
  • Not all users were affected, but those whose update traffic was intercepted may have received malicious software.

What’s Been Done

  • The Notepad++ team has moved hosting providers and strengthened the update and verification process — including better signature checks to ensure update authenticity.
  • Users are advised to manually download the latest clean version (e.g., 8.9.1 or newer) directly from the official site to ensure they are not running a compromised build.

Check Your Notepad++ Version and Install Date

  1. Open Notepad++
  2. Go to Help About Notepad++
  3. Note:
    • Version number
    • Build date

Why this matters:
The malicious updates were only delivered during a specific window and only to selected users. If your version was installed or updated between mid-2025 and late-2025, extra caution is warranted.

Verify the Digital Signature (Critical Step)

Malicious builds often fail proper code-signing checks.

On Windows:

  1. Locate notepad++.exe
    • Usually:
      C:\Program Files\Notepad++\
  2. Right-click Properties
  3. Open the Digital Signatures tab
  4. Confirm:
    • Signer is Notepad++ / Don Ho
    • Signature status is Valid

Red flags:

  • No Digital Signatures tab
  • Invalid signature
  • Unknown publisher

If any of these appear assume compromise and reinstall immediately.

Check for Suspicious Behavior

Even if Notepad++ appears normal, look for signs of tampering:

  • Unexpected outbound network connections
  • Antivirus or EDR alerts tied to Notepad++
  • New scheduled tasks or startup entries you didn’t create
  • DLLs or EXE files in the Notepad++ folder that don’t belong

If you have endpoint protection, run a full system scan, not just a quick scan.

Compare File Hashes (Advanced but Reliable)

If you want high confidence:

  1. Download the latest clean installer from the official Notepad++ website
  2. Generate a hash for:
    • Your installed notepad++.exe
    • The freshly downloaded installer
  3. Compare against official checksums published by Notepad++

Mismatch = do not trust the installation.

Secure Your System (Recommended Actions)

Even if no compromise is confirmed, these steps reduce risk:

Reinstall Safely

  • Uninstall Notepad++
  • Reboot
  • Install the latest version manually (do not use the in-app updater for now)

Lock Down Updates

  • Disable automatic updates temporarily
  • Only update manually from the official site

Rotate Credentials (If Used for Dev Work)

If you used Notepad++ to edit:

  • SSH keys
  • API tokens
  • Credentials or config files

Rotate them as a precaution.

Ongoing Best Practices

  • Keep Windows fully patched
  • Use application allow-listing where possible
  • Monitor software supply-chain advisories
  • Treat unexpected software updates as potential security events

Bottom Line

This was a targeted supply-chain attack, not a mass infection. Most users were likely unaffected — but verifying signatures and reinstalling cleanly is the safest path if your system falls within the impacted timeframe.

Top 5 Frequently Asked Questions

Notepad++ reported a supply-chain style incident where update traffic for some targeted users was selectively redirected to attacker-controlled infrastructure, resulting in malicious update files being delivered. The compromise was tied to hosting/infrastructure rather than a vulnerability in Notepad++’s core code.
The activity was described as highly targeted, not a mass infection event. The reported compromise window spans roughly from June 2025 through December 2, 2025, with some indicators suggesting the malicious update activity ended earlier (around November 2025).
Start by checking your Notepad++ version and when it was installed/updated. Then verify the digital signature on the installer and binaries: open the Notepad++ install folder (commonly C:\Program Files\Notepad++), right-click notepad++.exe ? Properties ? Digital Signatures, and confirm the signature is valid and issued via the expected certificate chain. If signatures are missing/invalid or you notice unusual network/process behavior during updates, treat it as suspicious and remediate.
(1) Update by downloading the latest release directly from the official Notepad++ site (avoid third-party mirrors). (2) Ensure signature verification is enforced by running a current version (the project introduced hardened update verification in newer releases). (3) Run a full system scan with your security tools (AV/EDR). (4) If you updated during the 2025 window and you handle sensitive credentials on that machine, rotate passwords/tokens/keys as a precaution.
If you previously installed a Notepad++ self-signed root certificate to support older update flows, the project has advised removing it after newer releases moved to using a legitimate third-party signing certificate. If you’re unsure, check your Windows certificate store for any Notepad++-related root certificate entries and remove them per your organization’s change-control process.

Key Takeaway

This was a sophisticated supply chain style attack on the update infrastructure — not on the Notepad++ codebase — demonstrating how attackers can exploit hosting and delivery systems to spread malware even when the software itself remains secure.

Resources

About the Author
Picture of Mark Mayo

Mark Mayo

I am a huge enthusiast for Computers, AI, SEO-SEM, VFX, and Digital Audio-Graphics-Video. I’m a digital entrepreneur since 1992. Articles include AI assisted research. Always Keep Learning! Notice: All content is published for educational and entertainment purposes only. NOT LIFE, HEALTH, SURVIVAL, FINANCIAL, BUSINESS, LEGAL OR ANY OTHER ADVICE. Learn more about Mark Mayo

Related Posts

Get Social

Click here

Buy The Buzzard A Coffee

Click here

Contribute

Click here

Headquarters:

Cybersecurity Careers & Cybercrime with PacketBuzzard