Notepad++ users may have unknowingly downloaded a malicious update after the app’s shared hosting servers were compromised last year, according to a new disclosure from the software’s developer.
On Monday, Notepad++ creator Don Ho confirmed that the app’s update system was targeted in a supply-chain attack that lasted for roughly six months, from June until December 2, 2025. Ho said the attackers were “likely a Chinese state-sponsored group” and exploited weaknesses at the app’s former hosting provider, not Notepad++’s own infrastructure.
According to the developer’s explanation, the attackers selectively redirected traffic from certain users to servers under their control. In those cases, the normal update process could be replaced with a malicious executable. Cybersecurity researcher Kevin Beaumont, who investigated the incident independently, said the malware may have allowed attackers to gain remote access to victims’ keyboards.
The attack appears to have been highly targeted rather than widespread. Beaumont noted that affected users he spoke with were mostly organizations with interests in East Asia, suggesting the hackers were focused on surveillance rather than mass infection.
Ho said all attacker access was fully cut off by December 2, 2025. Since then, the Notepad++ updater has been strengthened with additional security checks designed to detect tampering and verify the authenticity of updates.
Users are advised to ensure they are running Notepad++ version 8.8.9 or later, which includes fixes related to the attack. Security experts also recommend downloading updates directly from the official Notepad++ website, checking for unusual activity involving the updater process “gup.exe,” and looking for suspicious files such as “update.exe” or “AutoUpdater.exe” in the system’s temporary folder.
The incident also comes against a sensitive backdrop. In 2019, Ho publicly criticized the Chinese government by releasing a Notepad++ update titled the “Free Uyghur” edition. At the time, he said the project’s website faced repeated DDoS attacks following that release.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
While the breach was limited in scope, the incident highlights how even widely trusted open-source tools can become targets through weaknesses in third-party infrastructure.
