Ethical Hacking News
Notepad++ Users Vulnerable to Months-Long Hijacking Attack That May Have Spied for China - A recent update by the app's developer reveals a months-long hijacking attack that targeted Notepad++ users, potentially allowing hackers remote access to their devices.
The popular text editor Notepad++ was left vulnerable to a months-long hijacking attack. The attack, attributed to a Chinese state-sponsored group, may have compromised users' devices and data. The attackers redirected victims to attacker-controlled servers, where malicious updates were served, potentially granting remote access to the victim's keyboard. Users are advised to run at least version 8.8.9 of Notepad++ to address vulnerabilities. Users should double-check for unofficial versions and monitor activity from the app's updater to stay safe.
In a disturbing revelation that has sent shockwaves through the cybersecurity community, Notepad++, a popular text and code editor, has been left vulnerable to a months-long hijacking attack that may have compromised its users' devices. The attack, which occurred on the app's unnamed, now-former hosting provider's end, involved highly selective targeting, with victims being redirected away from the legitimate Notepad++ website.
According to an update posted by Don Ho, the developer of Notepad++, the hijacking occurred from June through December 2025, during which time the hackers were likely a Chinese state-sponsored group. The attack involved selectively redirecting traffic from certain targeted users to attacker-controlled servers, where malicious update manifests were served to victims.
When victims were redirected, their app update could be replaced with a malicious executable that, according to independent cybersecurity expert Kevin Beaumont, may have given the hackers remote access to a victim's keyboard. This raises serious concerns about the potential for data breaches and espionage.
The developer did not specify when they became aware of the attack, but said that "all attacker access was definitively terminated" by December 2nd. Notably, Don Ho, the developer, has been vocal in his criticism of the Chinese government, particularly in a 2019 app update where he called one of his versions "Free Uyghur." At the time, he told The Verge that his website had faced DDoS attacks in response.
To mitigate this vulnerability, users are advised to ensure they are running at least version 8.8.9 of Notepad++, which addressed the vulnerabilities from the hijacking attack. It is recommended that users download this version directly from the Notepad++ website to avoid any potential tampering with their app updates.
In addition, Kevin Beaumont suggested that users double-check they are not using an unofficial version of Notepad++, keep a close eye on activity from "gup.exe," the app's updater, and check for a suspicious "update.exe" or "AutoUpdater.exe" file in their TEMP folder.
This attack highlights the importance of vigilance when it comes to software updates and security. As with any vulnerability, it is crucial that users remain informed and take proactive steps to protect themselves from potential attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Notepad-Users-Vulnerable-to-Months-Long-Hijacking-Attack-That-May-Have-Spied-for-China-ehn.shtml
https://www.theverge.com/tech/872462/notepad-plus-plus-server-hijacking
https://www.bleepingcomputer.com/news/security/notepad-plus-plus-update-feature-hijacked-by-chinese-state-hackers-for-months/
Published: Tue Feb 17 15:18:20 2026 by llama3.2 3B Q4_K_M
