- Notepad++’s hosting provider account was hijacked between June and December 2025.
- Attackers redirected update traffic for users of the built-in updater to malicious servers.
- Only users updating via the built-in updater were at risk. Manual downloads from official sources were safe.
- App binaries were not compromised. The attack leveraged weak update verification controls.
- Developers switched to a secure host, rotated credentials, and improved WinGup updater verification.
Notepad++, a widely used alternative to Windows 11‘s native Notepad app, has confirmed that its hosting provider’s account was compromised by malicious actors between June and December 2025. The breach allowed attackers to redirect some users to malicious servers via compromised update manifests.
According to the official disclosure, security experts identified an infrastructure-level compromise
at Notepad++’s former hosting provider. The attackers exploited the system to intercept update traffic destined for notepad-plus-plus.org, targeting a subset of users with malicious update files. Analysts suggest the targeted nature of the attack points to an espionage effort rather than a broad malware campaign.
The malicious individuals initially maintained access to the hosting servers until September 2, 2025. Even after losing direct access, they retained internal service credentials until December 2, 2025, enabling continued interception of update traffic. The exploit leveraged known vulnerabilities in older Notepad++ versions, including insufficient update verification controls.
Who was affected?
Only users who updated Notepad++ via the built-in updater between June and December 2025 were at risk. However, users who downloaded installers manually from the official website or GitHub releases were not affected.
Security analysts confirm there is no evidence of mass command-and-control or widespread system exploitation. The attack appears highly targeted, likely at specific organizations or individuals.
Remediation and security enhancements
According to the app’s developer, Notepad++ has switched to a new, more secure hosting provider to prevent future infrastructure-level compromises.
Internal credentials at the previous provider have been rotated, ensuring that any lingering access from the attackers has been revoked.
The app’s updater, WinGup, was enhanced in version 8.8.9 to verify both the certificate and the installer signature, strengthening the security of update downloads.
The note-taking app is also expected to receive version 8.9.2 in the coming weeks, which will enforce strict XMLDSig certificate and signature verification for all updates, further protecting users from tampering or redirection attacks.
What should users do?
The Notepad++ team urges all users to manually update to version 8.9.1 or later and reset credentials for any services associated with the previous hosting environment, including SSH, FTP, and MySQL databases.
It’s also a good idea to run a full antivirus scan if you updated using the built-in updater during the affected period.
This incident serves as a reminder of the risks of supply-chain attacks and the need to verify the authenticity of software sources and downloads. Even trusted developer accounts can be hijacked, highlighting the importance of robust hosting security and rigorous update verification.
Mauro Huculak is a Windows How-To Expert and founder of Pureinfotech in 2010. With over 22 years as a technology writer and IT Specialist, Mauro specializes in Windows, software, and cross-platform systems such as Linux, Android, and macOS.
Certifications: Microsoft Certified Solutions Associate (MCSA), Cisco Certified Network Professional (CCNP), VMware Certified Professional (VCP), and CompTIA A+ and Network+.
Mauro is a recognized Microsoft MVP and has also been a long-time contributor to Windows Central.
You can follow him on YouTube, Threads, BlueSky, X (Twitter), LinkedIn and About.me. Email him at [email protected].