Trending:
Cybersecurity

Notepad++ hosting breach gave China-linked hackers six months of update hijacking

State-sponsored hackers compromised Notepad++'s shared hosting server from June to December 2025, redirecting updates to malware for select East Asian telco and finance targets. The supply chain attack exploited weak update verification in WinGUp—fixed in version 8.8.9—highlighting risks in open-source tooling infrastructure.

TheBiggish Editorial ·
Notepad++ hosting breach gave China-linked hackers six months of update hijacking

What Happened

Notepad++ developer Don Ho disclosed February 2 that China-linked threat actors (tracked as Violet Typhoon/APT31) hijacked the text editor's update mechanism for six months in 2025. The attack compromised the project's shared hosting provider, redirecting targeted users to malware downloads between June and December.

The breach exploited weak update verification in WinGUp, Notepad++'s updater component. Version 8.8.9 (released late 2025) patched the vulnerability. The project has since migrated to new hosting infrastructure.

Who Got Hit

This wasn't spray-and-pray. The attackers targeted a small number of organizations in East Asian telecommunications and financial services sectors. Those who took the bait gave adversaries hands-on network access—the kind that doesn't show up in endpoint logs until it's too late.

Security researchers at Rapid7 identified the compromised infrastructure, which included malicious update.exe files served from 95.179.213[.]0.

The Supply Chain Pattern

This is a supply chain attack, not a Notepad++ code vulnerability. The compromised hosting server remained accessible until December 2, 2025—three months after Notepad++ moved infrastructure on September 2. Lingering credentials kept the door open.

The pattern echoes SolarWinds (2020): compromise the distribution mechanism, target selectively, maintain persistence. The difference is scale. Notepad++ has millions of downloads annually, but the attackers hit a handful of high-value targets.

What CTOs Should Know

Three things matter here:

  1. Update mechanisms are infrastructure. If your dev teams use open-source tools, they're trusting someone else's hosting and deployment pipeline. That's a dependency worth mapping.

  2. Shared hosting is a shared risk. The exact breach mechanism is still under investigation, but Don Ho has ruled out flaws in Notepad++'s codebase. The hosting provider was the weak link.

  3. Manual verification isn't paranoia. Hash verification and checksum validation before deploying updates—even from trusted sources—caught similar attacks before. SBOMs (Software Bill of Materials) help, but only if you're actually checking them.

Current Status

No related incidents reported in the past week. Users on version 8.8.9 or later are patched. Organizations should verify update sources, audit installed versions, and consider isolating development infrastructure from production networks.

The investigation continues. The hosting provider hasn't been publicly named.

Tags:
cybersecurity china apac open-source supply-chain

Related Articles

Moltbook's database exposed 1.5M API keys - Wiz finds no security controls
Cybersecurity

Moltbook's database exposed 1.5M API keys - Wiz finds no security controls

Wiz discovered Moltbook's entire Supabase database exposed via hardcoded client-side credentials. The AI-agent social network - launched January 28 by Octane AI CEO Matt Schlicht - had no Row Level Security, allowing anyone to read 1.5M API tokens, 35K emails, and all agent messages. Fixed within hours, but the pattern is familiar: vibe-coded applications shipping without basic security controls.

Feb 2, 2026