Ethical Hacking News
Notepad++, a widely used text editor for Windows, has been compromised by suspected China-state hackers who exploited weaknesses in its update infrastructure for six months. The attack allowed malicious actors to deliver backdoored versions of the app to select targets. Notepad++ users are advised to check their version and update to 8.9.1 or higher immediately.
Notepad++ was compromised for six months by suspected China-state hackers exploiting update infrastructure vulnerabilities.Malicious actors delivered backdoored versions of the app to select targets, gaining control through a Web-based interface.A security incident was discovered in devices with Notepad++ installed, allowing hands-on keyboard threat actors direct control.The exploit occurred due to weaknesses in the GUP or WinGUP updater and a self-signed root certificate that could be easily tampered with.Users are advised to run version 8.8.8 or higher, installed manually from the official website, as it is the latest recommended version.
Notepad++, a popular text editor for Windows, has been exposed to a six-month compromise by suspected China-state hackers who exploited weaknesses in the update infrastructure. The attack, which began last June, allowed malicious actors to intercept and redirect update traffic destined for Notepad++'s official website. This, in turn, enabled them to deliver backdoored versions of the app to select targets.
According to independent researcher Kevin Beaumont, three organizations told him that devices inside their networks that had Notepad++ installed experienced security incidents resulting in hands-on keyboard threat actors. These hackers were able to take direct control using a Web-based interface.
Beaumont's suspicions were aroused when Notepad++ version 8.8.8 introduced bug fixes in mid-November to "harden the Notepad++ Updater from being hijacked." The update made changes to a bespoke Notepad++ updater known as GUP or WinGUP, which reports the version in use to https://notepad-plus-plus.org/update/getDownloadUrl.php and then retrieves a URL for the update from a file named gup.xml.
The downloads themselves are signed, but some earlier versions of Notepad++ used a self-signed root certificate, which is available on GitHub. With release 8.8.7, this was reverted to GlobalSign, effectively rendering the download not robustly checked for tampering.
Beaumont warned that search engines are "rammed full" of advertisements pushing trojanized versions of Notepad++ that many users unwittingly run inside their networks. He advised all users ensure they're running the official version 8.8.8 or higher installed manually from notepad-plus-plus.org, as developers have now urged all users to ensure they're running 8.9.1 or higher.
Notepad++ has long attracted a large and loyal user base because it offers functions that aren't available from the official Windows text editor Notepad. Recent moves by Microsoft to integrate Copilot AI into Notepad have driven further interest in the alternative editor.
However, like many other open-source projects, funding for Notepad++ is dwarfed by its dependence on the Internet, which made the six-month compromise possible. The weaknesses that made this exploit possible could easily have been caught and fixed had more resources been available to address these issues.
Related Information:
https://www.ethicalhackingnews.com/articles/Notepad-Users-Exposed-Six-Month-Compromise-Reveals-China-State-Hackers-Exploitation-of-Update-Infrastructure-ehn.shtml
https://arstechnica.com/security/2026/02/notepad-updater-was-compromised-for-6-months-in-supply-chain-attack/
https://notepad-plus-plus.org/news/hijacked-incident-info-update/
Published: Mon Feb 2 15:28:23 2026 by llama3.2 3B Q4_K_M
