Nation-state hack exploited hosting infrastructure to hijack Notepad++ updates
Nation-state hack exploited hosting infrastructure to hijack Notepad++ updates
Publish Date: 2026-02-02 05:55:00
Source Domain: securityaffairs.com
Nation-state hack exploited hosting infrastructure to hijack Notepad++ updates
Pierluigi Paganini
February 02, 2026
Notepad++ maintainer says nation-state attackers hijacked the app’s update system by redirecting traffic at the hosting provider level.
The Notepad++ maintainer revealed that nation-state hackers compromised the hosting provider’s infrastructure, redirecting update traffic to malicious servers. The attack did not exploit flaws in Notepad++ code but intercepted updates before they reached users.
“According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org.” reads the advisory published by the software maintainers. “The exact technical mechanism remains under investigation, though the compromise occured at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests.”
The incident began in June 2025 and was linked by multiple researchers to a likely Chinese state-sponsored group, based on its highly selective targeting. Attackers compromised a shared hosting server until September 2, 2025, and later used stolen internal credentials to redirect Notepad++ update traffic to malicious servers until December 2.
The hosting provider moved all affected customers to a new server, fixed the vulnerabilities that were abused, and rotated all credentials that may have been exposed.
After completing these actions, the provider reviewed system logs and confirmed there was no evidence of continued attacker access or malicious activity.
The security expert found the attack ended on November 10, 2025, while the hosting provider reported possible attacker access until…
