Notepad++ Updates Hijack Investigation and Security Response

The Notepad++ team has published a follow-up security update clarifying the traffic hijacking incident first disclosed alongside the Notepad++ v8.8.9 release. The findings seems to confirm this was not a bug in Notepad++ itself, but a security breach at the hosting provider level.

What Happened

Security researchers reported that update traffic from WinGUp, the Notepad++ updater, was occasionally being redirected to attacker-controlled servers. In those cases, malicious actors could serve compromised executables instead of legitimate Notepad++ installers, which would look 100% valid..

A detailed further investigation determined that the issue stemmed from a compromised shared hosting server used by Notepad++ for update-related infrastructure that allowed the attackers access to their software.

At this point there is no evidence of malicious code being unchanged to Notepad++ itself, and no compromise of the application source code. The breach seems to be contained to the updater and the distribution of the Notepad++ executable after the initial install.

Timeline and Attribution

• The compromise likely began around June 2025
• The hosting server itself was compromised until September 2, 2025
• Attackers retained internal service credentials until December 2, 2025
• Malicious redirection activity appears to have ended by November–December 2025

The powers that be at NotePad++ engaged with multiple independent researchers assess the activity as highly targeted, consistent with tactics used by state-sponsored threat actors. While attribution is still under investigation, some analysts believe the activity aligns with a Chinese state-sponsored group, based on targeting behavior and infrastructure control.

What Notepad++ Changed

To address the issue and prevent similar attacks in the future, several security improvements have been implemented:

• WinGUp hardening (v8.8.9+)
• Update installers are now verified using both certificate and digital signature checks
• If verification fails, the update is immediately aborted
Signed update metadata

• Update XML responses are now cryptographically signed (XMLDSig)
• Enforcement of XML signature verification will be mandatory starting with v8.9.2
• Hosting migration
• The Notepad++ website and update infrastructure have been migrated to a new hosting provider with stronger security controls

Additionally, since v8.8.7, all Notepad++ binaries are signed with a legitimate GlobalSign-issued certificate, and users who previously installed a Notepad++ root certificate are advised to remove it

Why Automatic Updates Are Not Always Ideal

While automatic updates are convenient. They are often not needed, and this incident highlights the real security risks they can pose. The Notepad++ hack is rather elaborate. You generally see the autoupdate hack come from the greedy authors themselves. For example, a dubious author writes coola freeware program that later installs adware with an automatic update when no oneis looking.

Automatic update mechanisms can:

• Trust network-delivered content implicitly
• Execute installers with elevated privileges
• Be abused if integrity checks are weak or bypassed
• Fail silently if users are not monitoring the update behavio

For users who want more control, we have previously covered how to pause or disable app updates in Windows App Store:


This does not mean auto-updates are "bad," but it does show why strong verification, transparency, and manual intervention options matter.

What Users Should Do Now

As of the time of publication, we recommend to IImmediately update to Notepad++ v8.9.1

• You can download the current safe version directly from MajorGeeks:
  https://www.majorgeeks.com/files/details/notepad.html
• Uninstall older versions
• Reinstall using the latest installer.

Manual installation ensures the installer signature is verified by Windows and avoids any legacy updater paths.

Bottom Line

NotePad++ is an excellent app, one of our all-time favorites andthough this breach is unfortunate, we think it shows well how the security community and teh people at NotePad++ handled this.


This incident was caused by a security breach on a shared web server, not by malicious or poor code code in Notepad++ itself. The Notepad++ team has taken appropriate corrective action, strengthened update verification, migrated infrastructure, and improved transparency around the event.

With the changes already in place and further enforcement coming in v8.9.2, this issue appears to be fully resolved.

Still, this serves as a good reminder: even trusted software benefits from cautious update practices.

comments powered by Disqus