Notepad++ on Monday shared extra particulars on the provision chain assault that got here to gentle in December 2025, saying {that a} menace actor seemingly sponsored by the Chinese language authorities focused some prospects by means of its internet hosting supplier.
Information of the incident broke after Notepad++ launched updates designed to stop the free supply code editor’s updater from being hijacked.
Safety researcher Kevin Beaumont reported in early December {that a} handful of organizations utilizing Notepad++ had been focused with malicious software program updates.
The researcher mentioned on the time that China-linked hackers had exploited Notepad++ to realize preliminary entry to the programs of telecoms and monetary companies companies in East Asia.
Notepad++ creator and maintainer Don Ho has now made public the outcomes of an investigation carried out in collaboration with exterior safety specialists and the shared internet hosting supplier whose companies had been used on the time of the assault.
“In response to the evaluation offered by the safety specialists, the assault concerned infrastructure-level compromise that allowed malicious actors to intercept and redirect replace site visitors destined for notepad-plus-plus.org,” Ho defined. Commercial. Scroll to proceed studying.
He added, “The precise technical mechanism stays beneath investigation, although the compromise occurred on the internet hosting supplier stage somewhat than by means of vulnerabilities in Notepad++ code itself. Visitors from sure focused customers was selectively redirected to attacker-controlled server malicious replace manifests.”
“A number of impartial safety researchers have assessed that the menace actor is probably going a Chinese language state-sponsored group, which might clarify the extremely selective concentrating on noticed through the marketing campaign,” Ho famous.
Data collected through the internet hosting supplier’s investigation revealed that the attackers particularly focused Notepad++ to intercept its customers’ site visitors. The supplier discovered no proof that different prospects on the shared server had been focused.
The assault seems to have began in June 2025 and the internet hosting agency decided that the server focused by the hackers was compromised till September 2, when the system underwent scheduled upkeep and its kernel and firmware had been up to date.
Nonetheless, credentials obtained by the attackers earlier than September allowed them to keep up entry to the internet hosting supplier’s inside companies till December 2. Throughout this timeframe the menace actor was in a position to direct site visitors going to Notepad++ replace servers to its personal servers to ship malware.
Notepad++ has since migrated to a brand new internet hosting supplier and carried out client-side modifications to confirm replace integrity.
Associated: eScan Antivirus Delivers Malware in Provide Chain Assault
Associated: Infostealer Malware Delivered in EmEditor Provide Chain Assault
Associated: ‘PackageGate’ Flaws Open JavaScript Ecosystem to Provide Chain Assaults
