Last month the maintainer of Notepad++ published a disclosure that will make any developer or sysadmin uncomfortable.
For about six months, from June through December 2025, the software's update mechanism had been hijacked by a Chinese state-sponsored threat actor.
Every time a targeted user hit "Check for Updates", they were potentially downloading malware instead of a legitimate new version, and the installer looked and behaved exactly like the real thing.

Notepad++ is not a niche tool. It is one of the most widely installed text editors in the world, used daily by developers, system administrators, network engineers, and security professionals.
That demographic is precisely why it was targeted. In enterprise environments, these are often the most privileged users on the network. Compromise their workstation through a trusted update and you have bypassed the perimeter entirely.

The attackers did not touch a single line of Notepad++ source code. They did not compromise its GitHub repository or its release binaries.
Instead, they went after the infrastructure underneath: the shared hosting server where notepad-plus-plus.org was hosted.
Once inside, they had control over the update endpoint, the URL that WinGUP, Notepad++'s built-in updater, contacts to retrieve the download address for new versions.

The hosting provider confirmed that the shared server was directly compromised from June until 2 September 2025, when a scheduled kernel and firmware update severed the attackers' access.
But that was not the end. The attackers had already harvested internal service credentials during their time on the server, and those credentials allowed them to continue redirecting Notepad++ update traffic to their own servers for another three months , all the way to 2 December 2025, when the hosting provider rotated all credentials and closed the remaining access.

It is worth noting a small irony in the story: previous versions of notepad++ started to be flagged as a malicious software by anti-virus due to some signing problems, so the author moved to a self-signed certificate approach in v8.8.3, as a principled stance against paying corporations for code-signing certificates.
That decision was criticised at the time by the security community but was ignored. This contributed directly to the attack chain!
Notepadd++ does not use a self signed certificate anymore.

Below are some key takeaways from this story:

• Update immediately: If you are running any version of Notepad++ prior to v8.9.2, update now using a manual download from the official GitHub releases page, not the built-in updater.
• Check whether you were affected: Various security vendors have published indicators of compromise. If your organisation had Notepad++ installed on any machine between July and November 2025 and auto-updates were enabled, run those IoCs against your environment before assuming you are clean. Look specifically for unexpected instances of BluetoothService.exe, log.dll, or AutoUpdater.exe spawned from the Notepad++ process tree.
• Third-party hosting infrastructure is part of your supply chain risk: The vulnerability here was not in Notepad++ code. It was in a shared hosting provider that held the keys to the update mechanism. Software vendors , and the enterprises that depend on them , need to scrutinise not just the code they ship but the infrastructure that delivers it. Shared hosting is a particular risk for open-source projects that do not have the resources of larger vendors.
• Developer tools carry enterprise-grade risk: Notepad++ lives outside most enterprise software procurement and patch management processes because it feels like a personal tool. It is not. It runs on the workstations of the people with the most privileged access in the organisation. Any software running in those environments needs to be subject to the same update verification, monitoring, and patch cadence as formally managed enterprise software.
• App Whitelisting/blacklisting: Should you have notepadd++ in your organisation? do you even know if some of your staff use/installed it? What about other applications? (think Winrar... involving another recent set of security incidents/alerts.