Notepad++ disclosed on February 2 that state-sponsored attackers controlled its shared hosting infrastructure for six months, intercepting update requests and serving tampered manifests to targeted users.
The compromise ran from June 2 to December 2, 2025. Attackers gained initial access through the hosting provider, then maintained persistence using stolen service credentials even after the provider patched the original vulnerability in September. The hosting provider confirmed full remediation on December 2, though security researchers assess the attack effectively ended November 10.
What makes this significant
The attackers used selective targeting rather than broad distribution—a hallmark of state-level operations. They exploited insufficient update verification in WinGUp, Notepad++'s built-in updater, which lacked hardening to prevent source changes before version 8.8.8 (released mid-November 2025). Current versions now restrict downloads to GitHub.
Multiple independent researchers attributed the campaign to Chinese state-sponsored actors based on operational patterns. With tens of millions of Windows users globally, many in enterprise development environments, the attack represents sophisticated supply chain risk.
The enterprise angle
This attack highlights a recurring vulnerability: trusted development tools with legacy update mechanisms. The six-month persistence demonstrates what's possible when attackers compromise shared hosting infrastructure rather than attempting to breach the software project directly.
The disclosure timeline matters. Notepad++ first warned users of suspicious behavior in version 8.8.9 (December 2025), but the full advisory came two months later after attribution analysis concluded. This lag between detection and disclosure is common in state-sponsored investigations but creates a window where enterprises don't know if they're affected.
What changed
Notepad++ has since hardened its update process, but organizations should audit which development tools use older update mechanisms. The hosting provider's statement that attackers "tried to re-exploit one of the fixed vulnerabilities" suggests the initial compromise may have exploited a known but unpatched vulnerability—implications that extend beyond this specific incident.
The real question: how many other widely-deployed tools are running similar update architectures?