Notepad++ Hijacked By China State-Sponsored Threat Actors
Notepad++ Hijacked By China State-Sponsored Threat Actors
https://www.linkedin.com/pulse/warning-notepad-hijacked-china-state-sponsored-cb5ee
Publish Date: 2026-02-02 17:02:00
Source Domain: www.linkedin.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
A software update mechanism used by Notepad++, one of the world’s most widely used open-source text editors, was covertly hijacked last year in what security experts believe was a targeted cyber-espionage campaign linked to a Chinese state-sponsored threat actor, according to disclosures from the project’s developers.
In a detailed security notice published Monday, the Notepad++ development team revealed that attackers manipulated parts of the project’s update delivery infrastructure, enabling them to silently redirect a limited number of users to malicious servers posing as legitimate Notepad++ update sources. The compromise persisted for several months before being identified and contained.
Crucially, the developers said there is no evidence that the attackers altered the Notepad++ source code itself or breached its public code repositories. Instead, the intrusion occurred “at the infrastructure level,” targeting systems responsible for routing update requests from users’ computers to the official Notepad++ servers.
An “on-path” attack, not a code breach
According to the notice, the attackers were able to intercept update traffic after it left affected users’ machines but before it reached the project’s official domain, notepad-plus-plus.org. By rerouting those requests, the attackers could present malicious update servers that appeared legitimate to the software.
“The exact technical mechanism remains under investigation,” the developers said, noting that such attacks can exploit weaknesses in hosting providers, content delivery networks, or network routing protocols rather than application code.
Cybersecurity researchers often refer to these intrusions as “on-path” or “man-in-the-middle” attacks. Unlike conventional supply-chain compromises, which typically involve injecting malicious code directly into software builds or repositories, on-path attacks manipulate the delivery process itself. This makes them particularly difficult to detect, especially when they are selectively deployed.
Targeted, selective redirection
Notepad++ is a free, open-source text editor with millions of users across the globe, particularly among software developers, system administrators and cybersecurity professionals. Despite that vast user base, the developers emphasized that the attack was not indiscriminate.
Update traffic was “selectively redirected” for a subset of users, they said, rather than being broadly redirected for all Notepad++ installations. The project did not disclose how many systems were affected, but said the campaign appeared to be highly targeted.
Such selective targeting mirrors previous high-profile supply-chain incidents. In 2018, attackers compromised the update infrastructure of ASUS in an operation dubbed ShadowHammer. Researchers later determined that while malicious updates were distributed widely, the payload was designed to activate only on a small number of specifically identified machines. Analysts at SentinelOne described the campaign as a precision espionage effort rather than a financially motivated attack.
This approach is characteristic of advanced persistent threat (APT) groups, which often prioritize stealth and intelligence gathering over scale.
Timeline and attribution
According to the Notepad++ team, the hijacking began in June 2025 and continued until December, when the issue was identified and mitigated. The developers said multiple independent security researchers reviewed the activity and concluded it was “likely linked” to a Chinese state-sponsored threat actor.
The project did not name the researchers involved or release technical indicators publicly, citing the ongoing nature of the investigation. Attribution in cyber operations is inherently complex, experts note, and typically relies on circumstantial evidence such as infrastructure reuse, targeting patterns, malware design and operational behavior rather than definitive proof.
“Such assessments are rarely conclusive,” the developers acknowledged, adding that they were transparent about the uncertainty surrounding the attribution.
🔥 Access 30 Days of FREE Training | Goldphish Cybersecurity Awareness
Supply-chain risks extend beyond code
The incident highlights a growing concern within the cybersecurity community: that software supply-chain security extends far beyond protecting source code repositories.
In recent years, governments and industry groups have focused heavily on securing open-source code, introducing measures such as reproducible builds, cryptographic signing and stricter repository access controls. However, the Notepad++ case illustrates that even when source code remains untouched, attackers may still find ways to compromise users by targeting hosting providers, update servers or network infrastructure.
Attacks like these highlight how software trust relies on every link in the supply chain. Open-source projects—often maintained by volunteers—may lack the resources of large companies, yet they remain attractive, high-value targets.
Mitigation and response
In response to the incident, the Notepad++ team said it has migrated its update infrastructure to a new hosting provider and implemented additional security controls designed to harden the update process against future interference. Those changes were introduced in version 8.9.1 of the software.
Users are strongly encouraged to upgrade to the latest version, even if they believe they were not affected.
“I deeply apologize to all users affected by this hijacking,” the author of the security notice wrote, adding that the team is continuing to review its systems and work with external researchers to better understand how the compromise occurred.
While there is currently no public evidence that the attack led to widespread malware infections, the episode underscores the persistent interest of state-linked hacking groups in compromising trusted software distribution channels—and the ongoing challenge of securing them.
Read The State of AI in Knowledge Management 2026 Report Now!
