Ethical Hacking News
A state-sponsored cyber attack has been exposed, targeting the update service of Notepad++, leaving the app vulnerable to malicious updates. This incident highlights the importance of robust security measures in software updates and the growing threat landscape posed by state-sponsored cyber attacks.
The Notepad++ update service was compromised by a state-sponsored cyber criminal. The incident began in June 2025 and lasted until December 2, 2025. A self-signed certificate was used to distribute malicious updates, bypassing traditional security checks. Inadequate update verification controls created an entry point for the attackers. The incident highlights the importance of robust security measures in software updates and the need for organizations to regularly review and patch their applications.
A recent revelation has shed light on a sophisticated cyber attack that targeted the update service of Notepad++, a popular text editor widely used by individuals and organizations alike. According to the project's author, Richard Speed, a state-sponsored cyber criminal compromised Notepad++'s update service in 2025, leaving the app vulnerable to malicious updates.
The incident began in June 2025, when the shared hosting service was compromised, allowing attackers to redirect traffic from targeted users to attacker-controlled servers. The attack was not detected until September 2, when the hosting server was no longer accessible. Even after losing access, the attackers retained credentials for internal services until December 2, 2025. Investigations indicate that the overall compromise period spanned from June through December 2, 2025.
The compromised update service allowed attackers to distribute malicious updates, which were verified using a self-signed certificate issued by GlobalSign. However, in version 8.9 of Notepad++, only legitimate certificates issued by GlobalSign are used to sign release binaries. The project strongly recommends that users who previously installed the self-signed root certificate remove it.
The mechanism used in the exploit is still under investigation, but experts point out that inadequate update verification controls in older versions of Notepad++ created an entry point for the attackers. The use of a self-signed certificate enabled the attackers to bypass traditional security checks, making it easier for them to compromise the update service.
This incident highlights the importance of robust security measures in software updates and the need for organizations to regularly review and patch their applications. It also underscores the growing threat landscape posed by state-sponsored cyber attacks, which can have devastating consequences for individuals and organizations alike.
In conclusion, the Notepad++ update service hijacking serves as a wake-up call for software developers and users to prioritize security in their daily work. By staying vigilant and implementing effective security protocols, we can minimize the risk of similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/A-State-Sponsored-Cyber-Attack-Exposed-The-Notepad-Update-Service-Hijacking-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/02/02/notepad_plusplus_intrusion/
https://notepad-plus-plus.org/news/hijacked-incident-info-update/
https://www.secure.com/blog/notepad-update-mechanism-hijacked-by-state-sponsored-hackers-in-six-month-campaign
Published: Mon Feb 2 08:08:28 2026 by llama3.2 3B Q4_K_M
