Ethical Hacking News
Nation-state hackers successfully hijacked Notepad++ updates via a compromised hosting infrastructure, compromising thousands of users. The attack, which began in June 2025, was likely carried out by a Chinese state-sponsored group using highly selective targeting. To mitigate the threat, the Notepad++ maintainer strengthened the updater and moved affected customers to a new server.
Nation-state hackers exploited a vulnerability in Notepad++'s hosting infrastructure, hijacking updates and compromising thousands of users. The attack was highly selective, suggesting that nation-state actors were behind the incident. The attackers compromised the hosting provider's infrastructure, redirecting update traffic to malicious servers. The compromise lasted from June to December 2, 2025. The Notepad++ maintainer strengthened the updater to verify installer certificates and signatures in response to the attack. The incident highlights the importance of securing not only software applications but also underlying infrastructure.
Nation-state hackers have successfully exploited a vulnerability in the hosting infrastructure of a popular text editor, hijacking the update system and compromising thousands of users. The incident, which began in June 2025, involved a highly selective targeting of certain users, suggesting that nation-state actors were behind the attack.
The Notepad++ maintainer revealed that nation-state hackers compromised the hosting provider's infrastructure, redirecting update traffic to malicious servers. This was made possible by the attackers intercepting updates before they reached users, rather than exploiting vulnerabilities in the Notepad++ code itself. The exact technical mechanism of the attack is still under investigation.
The compromise began on June 2025 and continued until December 2, 2025, with multiple researchers linking it to a likely Chinese state-sponsored group based on its highly selective targeting. Attackers compromised a shared hosting server until September 2, 2025, and later used stolen internal credentials to redirect Notepad++ update traffic to malicious servers.
To mitigate the attack, the hosting provider moved all affected customers to a new server, fixed the vulnerabilities that were abused, and rotated all credentials that may have been exposed. After completing these actions, the provider reviewed system logs and confirmed there was no evidence of continued attacker access or malicious activity.
The security expert found that the attack ended on November 10, 2025, while the hosting provider reported possible attacker access until December 2. Combining both assessments, the compromise likely lasted from June to December 2, 2025.
The incident highlights the importance of securing not only software applications but also the underlying infrastructure that hosts them. Nation-state actors are known for their sophisticated and targeted attacks, often using complex techniques to evade detection and compromise systems.
In response to this attack, the Notepad++ maintainer strengthened the updater to verify installer certificates and signatures, with signed update data and stricter checks fully enforced in the upcoming v8.9.2 release. This move is aimed at preventing similar attacks in the future.
As the threat landscape continues to evolve, it is essential for individuals and organizations to remain vigilant and take proactive measures to protect themselves against cyber threats. Regular updates, patching, and secure software development practices are crucial in preventing such incidents.
Furthermore, the incident serves as a reminder of the importance of transparency and communication in the face of security breaches. Notepad++ maintainer's prompt response and apology to affected users demonstrate a commitment to keeping users informed about any potential risks and providing them with guidance on how to mitigate them.
The Nation-state hack exploited hosting infrastructure to hijack Notepad++ updates serves as a cautionary tale, reminding us that even seemingly innocuous applications can be targeted by sophisticated nation-state actors. It highlights the need for continued investment in cybersecurity measures and awareness programs to protect individuals and organizations from such threats.
In conclusion, this incident demonstrates the potential risks associated with hosting infrastructure vulnerabilities and the importance of securing software updates. As we move forward in an increasingly interconnected world, it is essential that we prioritize our security posture and take proactive steps to prevent similar incidents.
Related Information:
https://www.ethicalhackingnews.com/articles/Nation-state-Hackers-Hijack-Notepad-Updates-via-Hosting-Infrastructure-Compromise-ehn.shtml
https://securityaffairs.com/187531/security/nation-state-hack-exploited-hosting-infrastructure-to-hijack-notepad-updates.html
https://notepad-plus-plus.org/news/hijacked-incident-info-update/
Published: Mon Feb 2 05:28:26 2026 by llama3.2 3B Q4_K_M
