**Chinese Hackers Hit Notepad++ to Serve Malicious Update**

Notepad++, a popular free text and coding editor used by millions worldwide, has been compromised by Chinese hackers who successfully distributed a malicious update via the auto-update function. The attack, which was detected by Notepad++ developer Don Ho late last year, highlights the importance of staying vigilant in today's digital landscape.

The hack, which occurred as far back as June 2025, targeted the hosting provider for notepad-plus-plus.org, the official domain for the text editor. This allowed the hackers to redirect a download link to their own servers, where they could then deliver a malicious update. "The attackers specifically targeted [the] Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++," Ho explained.

However, it appears that only certain users were affected by the malicious update, which was delivered via the WinGUp auto-update mechanism for Windows PCs. Security researcher Kevin Beaumont had warned about the threat on December 2, citing reports from "small numbers" of users who were experiencing problems. Beaumont noted that the download process lacked robust verification controls, making it vulnerable to tampering.

According to Ho, security researchers have uncovered evidence suggesting a Chinese state-sponsored hacking group is behind the breach. The targets appear to be organizations in the United States that work closely with the Chinese government, with the hackers specifically targeting users affiliated with telecommunications and financial services of interest to China.

Rapid7, a leading security provider, has published its own report detailing the malicious update. Dubbed "update.exe," it contains four files designed to create a backdoor on infected PCs, enabling the hackers to secretly steal sensitive information. The installation script creates a new directory called "Bluetooth" in the user's AppData folder and executes a file called "BluetoothService.exe."

The investigation revealed that the hosting provider for notepad-plus-plus.org had been compromised, with logs showing signs of unauthorized access. However, a server update on September 2 kicked the hackers out, but they still managed to gain access to credentials for internal services on the same server. It wasn't until December 9 that the hijacking was completely shut down.

Notepad++ released a new version (8.8.9) to address the attack on December 9, which included enhanced security features such as verification of both the certificate and signature of the downloaded installer. The latest version, 8.9.1, includes even more robust security enhancements to prevent similar attacks in the future.

Ho emphasized that users must update their Notepad++ software to the latest version (8.9.1) to ensure they are protected from any potential vulnerabilities. As Beaumont noted, "If you're using an older version of Notepad++, it's time to update – and not just because of this specific vulnerability."

Notepad++'s migration to a new hosting provider with improved security measures has also helped to prevent similar attacks in the future. The incident serves as a reminder of the importance of staying vigilant in today's digital landscape, where even seemingly innocuous software like Notepad++ can be compromised by sophisticated hackers.

**Take Action:**

* Update your Notepad++ software to the latest version (8.9.1) * Verify the authenticity of any updates before installing them * Use a reputable antivirus solution to detect and prevent malware infections

**Sources:**

* Don Ho, Notepad++ developer * Kevin Beaumont, security researcher * Rapid7 report on the malicious update