Notepad++’s update infrastructure was compromised for six months by suspected China-state actors, who used access to distribute backdoored updates to a targeted set of users. Developers said the incident affected a portion of Notepad++ users but did not specify numbers.
The attack began last June with an infrastructure-level compromise that allowed malicious parties to intercept and redirect update traffic destined for notepad-plus-plus.org. By doing so, they delivered tampered updates to selected targets while ordinary users received legitimate updates.
Notepad++ didn’t regain control of its update system until December. Officials with the hosting provider told incident responders that the breach persisted until September 2, and attackers retained credentials to internal services through December 2, enabling ongoing manipulation of update traffic to malicious servers.
Independent researchers including Kevin Beaumont noted that three organizations reported security incidents involving devices with Notepad++. The incidents were described as hands-on keyboard activity, implying the attackers gained direct control through a web-based interface. Beaumont said the organizations have East Asia interests, complicating attribution.
The investigation highlights how older Notepad++ versions lacked robust update verification. Notepad++ updated its updater, known as GUP or WinGUP, with version 8.8.8 in mid-November to harden it, but researchers say the risk remained. The updater system fetches the update URL via gup.xml and downloads the files to the device’s TEMP directory before executing them.
