**Nation-state Hack Exploits Hosting Infrastructure to Hijack Notepad++ Updates**

A sophisticated nation-state attack has been uncovered, which exploited the hosting infrastructure of popular text editor Notepad++ to hijack its updates. The attackers, believed to be a Chinese state-sponsored group, compromised the hosting provider's infrastructure, redirecting update traffic to malicious servers.

According to an advisory published by the software maintainers, the attack did not exploit flaws in Notepad++ code itself but rather intercepted updates before they reached users. "The exact technical mechanism remains under investigation, though the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself," reads the advisory.

The incident began in June 2025 and was linked by multiple researchers to a likely Chinese state-sponsored group based on its highly selective targeting. Attackers compromised a shared hosting server until September 2, 2025, and later used stolen internal credentials to redirect Notepad++ update traffic to malicious servers until December 2.

Not only did the attackers compromise the hosting provider's infrastructure, but they also selectively redirected traffic from certain targeted users to attacker-controlled servers with malicious update manifests. This level of sophistication suggests a highly organized and coordinated effort by the nation-state hackers.

The security expert found that the attack ended on November 10, 2025, while the hosting provider reported possible attacker access until December 2. Combining both assessments, it is estimated that the compromise likely lasted from June to December 2, 2025.

Notepad++ maintainers have taken steps to strengthen the updater by verifying installer certificates and signatures, with signed update data and stricter checks fully enforced in the upcoming v8.9.2 release. The site has also been moved to a more secure hosting provider, ensuring that users are protected from any potential future attacks.

While the exact mechanism of the attack remains under investigation, this incident highlights the importance of robust security measures in hosting infrastructure and the need for continuous monitoring and improvement. As security researchers continue to unravel the details of this sophisticated nation-state hack, it serves as a stark reminder of the ever-evolving threat landscape.

**Stay Informed with Security Affairs**

Follow me on Twitter: @securityaffairs

Follow me on Facebook

Follow me on Mastodon