China-linked actors exploited hosting compromise to hijack Notepad++ updater

Notepad++ has revealed technical findings after investigators traced a targeted campaign that manipulated the editor’s update distribution. The intrusion did not arise from flaws in the application code but from control gained over infrastructure used to serve updates, enabling selective redirection of certain update requests to adversary-controlled endpoints. External analysts assessing telemetry and attack patterns concluded the operation bears hallmarks of a state-directed actor based in China, which aligns with the carefully chosen targets observed during the campaign. Initial exploitation appears to have begun in mid-2025, with the compromised host remaining under attacker control until early September, and unauthorized credentials later permitting access to internal provider systems up to December. During that window the adversary could supply poisoned update manifests to a subset of users, giving attackers a stealthy route for delivering malware to organizations in telecoms and financial sectors across East Asia. The hosting provider’s investigation found no broad tenant-wide abuse, indicating the campaign was narrowly scoped rather than a noisy, indiscriminate compromise. In response, Notepad++ migrated its release infrastructure and implemented client-side measures to validate update authenticity, closing the vector the attackers exploited. The episode underscores a recurring reality: supply chain risk frequently originates outside application code, at the infrastructure and delivery layers. For operators of widely distributed software, especially free and open projects that rely on third-party hosting, the attack exposes a blind spot where trust in intermediaries can be weaponized. Detection was delayed by the precision of targeting and by the attacker’s use of legitimate update channels, which complicates forensic timelines and attribution. The case reinforces the need for end-to-end integrity checks, strict key management for update signing, and continuous validation of hosting security to prevent similar interception paths in the future.