The Notepad++ project has disclosed a sophisticated supply chain attack that quietly compromised its software update process over several months in 2025. The incident did not involve tampering with the core source code or official repositories of Notepad++, but instead exploited weaknesses at the hosting provider level.
Attackers gained control of the update delivery infrastructure between June and December 2025. This allowed them to selectively redirect update requests from a limited group of users to attacker-controlled servers, while the majority of the user base remained unaffected.
What Happened
- Update servers were hijacked without breaching the Notepad++ development environment
- Only specific users were targeted, not a mass audience
- Malicious payloads were delivered through the legitimate auto-update mechanism
- The malware included a previously undocumented backdoor
- Attackers maintained persistence even after early remediation attempts
Security analysts traced the activity to a China-linked threat group with medium confidence. Attribution was based on infrastructure patterns, tooling and operational behavior observed during forensic analysis.
Key Details at a Glance
| Aspect | Details |
| Attack type | Targeted supply chain compromise |
| Impact scope | Limited, selective users |
| Timeline | June to December 2025 |
| Malware | Undocumented backdoor |
| Disclosure | February 2026 |
Following public disclosure, the project migrated away from the affected hosting provider and released updated versions. These updates strengthen verification checks and introduce additional safeguards designed to prevent similar attacks in the future.
The incident highlights how trusted update mechanisms can be abused even when source code integrity remains intact.
