2026-02-02
Following the security disclosure published in the v8.8.9 announcement
https://notepad-plus-plus.org/news/v889-released/
The investigation has continued in collaboration with external experts and with the full involvement of my (now former) shared hosting provider.
According to analysis provided by security experts, the attack involved an infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org. The exact technical mechanisms remain under investigation, although the compromise occurred at the hosting provider level rather than through vulnerabilities in the Notepad++ code. Traffic from some targeted users was selectively redirected to attacker-controlled malicious update manifests.
Event begins in June 2025. Several independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign.
An incident-response (IR) plan was proposed by the security specialist, and I facilitated direct communication between the hosting provider and the IR team. After the IR team connected with the provider and reviewed the situation, I received the following detailed explanation from the provider:
Dear Customer,
We want to further update you following the previous communication with us about your server compromise and further investigation with your incident response team.
We discovered the suspicious events in our logs, which indicate that the server (where your application https://notepad-plus-plus.org/update/getDownloadUrl.php was hosted until the 1st of December, 2025) could have been compromised.
As a precautionary measure, we immediately transferred all clients’ web hosting subscriptions from this server to a new server and continued our further investigation.
Here are the key finding points:
1. The shared hosting server in question was compromised until the 2nd of September, 2025. On this particular date, the server had scheduled maintenance where the kernel and firmware were updated. After this date, we could not identify any similar patterns in logs, and this indicates that bad actors have lost access to the server. We also find no evidence of similar patterns on any other shared hosting servers.
2. Even though the bad actors have lost access to the server from the 2nd of September, 2025, they maintained the credentials of our internal services existing on that server until the 2nd of December, which could have allowed the malicious actors to redirect some of the traffic going to https://notepad-plus-plus.org/getDownloadUrl.php to their own servers and return the updates download URL with compromised updates.
3. Based on our logs, we see no other clients hosted on this particular server being targeted. The bad actors specifically searched for https://notepad-plus-plus.org/ domain with the goal to intercept the traffic to your website, as they might know the then-existing Notepad++ vulnerabilities related to insufficient update verification controls.
4. After concluding our research, the investigated security findings were no longer observed in the web hosting systems from the 2nd of December, 2025, and onwards, as:
* We have fixed vulnerabilities, which could have been used to target Notepad++. In particular, we do have logs indicating that the bad actor tried to re-exploit one of the fixed vulnerabilities; however, the attempt did not succeed after the fix was implemented.
* We have rotated all the credentials that bad actors could have obtained until the 2nd of September, 2025.
* We have checked the logs for similar patterns in all web hosting servers and couldn’t find any evidence of systems being compromised, exploited in a similar way, or data breached.
While we have rotated all the secrets on our end, below you will find the preventive actions you should take to maximize your security. However, if below actions have been done after the 2nd of December, 2025, no actions are needed from your side.
* Change credentials for SSH, FTP/SFTP, and MySQL database.
* Review administrator accounts for your WordPress sites (if you have any), change their passwords, and remove unnecessary users.
* Update your WordPress sites (if you have any) plugins, themes, and core version, and turn on automatic updates, if applicable.
We appreciate your cooperation and understanding. Please let us know in case you have any questions.
TL;DR
According to the former hosting provider, the shared hosting servers were compromised until September 2, 2025. Even after losing server access, the attackers retained credentials for internal services until December 2, 2025, allowing them to continue redirecting Notepad++ update traffic to the malicious server. The attackers specifically targeted the Notepad++ domain with the goal of exploiting inadequate update validation controls present in older versions of Notepad++. All remediation and security hardening was completed by the provider by December 2, 2025, successfully preventing further attack activity.
Pay attention to deadlines: The security expert’s analysis indicates that the attack stopped on November 10, 2025, while the hosting provider’s statement shows the potential attacker had access until December 2, 2025. Based on both evaluations, I estimate the overall compromise period spanning from June to December 2, 2025, when all attacker access was definitively terminated.
I deeply apologize to all users affected by this hijacking. To address this serious security issue, the Notepad++ website has been moved to a new hosting provider with significantly stronger security practices. In Notepad++ itself, WinGup (updater) was enhanced in v8.8.9 to verify both the certificate and signature of the downloaded installer. Additionally, the XML returned by the update server is now single (XMLDSig), and certificate and signature verification will be implemented starting with the upcoming v8.9.2, expected in about a month.
With these changes and reinforcements, I believe the situation has been completely resolved. fingers crossed.
<a href