Notepad++ hack was a targeted attack by Chinese state-sponsored hackers
The hack on Notepad++ last year was an intentional and targeted attack to redirect selective users to a server belonging to state-sponsored hackers from China.
In December 2025, Notepad++ disclosed that its text editing app had been the target of a cyberattack.
Unknown attackers were able to intercept network traffic between users and the Notepad++ update server. The threat actor used this vulnerability to target specific users, redirect them to a server belonging to them, and then pass on a download containing a malicious update code.
As soon as the vulnerability came to light, Notepad++ quickly released a patch, v8.8.9, that hardened the signature and certificate verification during updates.
The creator of the text editing application has provided an update on the incident.
According to security experts, the attack involved an infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org.
“The exact technical mechanism remains under investigation, though the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself,” the developer says in a blog post.
The attack campaign began in June 2025 and ran until at least November 10th, but possibly until December 2nd, Notepad++ reports.
The hosting server was compromised until September 2nd. “On this particular date, the server had scheduled maintenance where the kernel and firmware were updated. After this date, we could not identify any similar patterns in logs, and this indicates that bad actors have lost access to the server,” the developer states.
However, the attackers still had login credentials for internal systems that allowed them to redirect update traffic to a malicious server that was controlled by them. On November 10th, the threat actor ceased its hacking attempts, though it had potential access until December 2nd.
According to the developer, multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign.
The Notepad++ creator believes that the incident has been fully resolved as soon as users of the text editor download and install v8.9.1.