(Credit: Notepad++)
If you use Notepad++, it's time to update. Hackers compromised the free text and coding editor to distribute a malicious update via the auto-update function.
Notepad++ developer Don Ho detected the suspicious activity late last year and confirmed the hijacking on Monday. Hackers targeted the hosting provider for notepad-plus-plus.org, the official domain for the text editor, rather than the program itself. That paved the way for them to redirect a download link to their own servers, which could then deliver a malicious update.
"The attackers specifically targeted [the] Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++,” Ho added.
However, it appears the malicious update was delivered only to certain users. On Dec. 2, security researcher Kevin Beaumont warned about the threat, citing how "small numbers" of users were reporting problems. Beaumont noted that Notepad++'s WinGUp auto-update mechanism for Windows PCs was fetching URLs for the malicious updates.
(Credit: Kevin Beaumont)“If you can intercept and change this traffic, you can redirect the download to any location it appears by changing the URL in the property,” he wrote at the time. “Effectively, there’s a situation where the download isn’t robustly checked for tampering.”
The compromise began as far back as June 2025. According to Ho, security researchers have uncovered evidence that suggests a Chinese state-sponsored hacking group is behind the breach. "I cannot estimate how many users may have been affected," Ho told PCMag. "What we do know is that the targets appear to be organizations in the United States that work closely with the Chinese government.”
Beaumont adds that the hackers appear to have been targeting users affiliated with telecommunications and financial services that China would be interested in targeting. The security provider Rapid7 has published its own report, which notes the hackers were spreading a program called "update.exe," which contains four files.
"Installation script is instructed to create a new directory 'Bluetooth' in “%AppData%” folder, copy the remaining files there, change the attribute of the directory to HIDDEN and execute BluetoothService.exe," Rapid7 says. The malicious update is designed to backdoor a PC, enabling the hackers to secretly steal files.
During the investigation, the unnamed hosting provider for notepad-plus-plus.org confirmed that its logs showed signs of a compromise. On Sept. 2, a server update booted the hackers out. However, they still had access to credentials for internal services on the same server, allowing them to continue serving the malicious update.
The hijacking was completely shut down on Dec. 2. Seven days later, Notepad++ released a new version, 8.8.9, to address the attack.
In addition, the app migrated to a new hosting provider with better security. “Within Notepad++ itself, WinGUp (the updater) was enhanced in v8.8.9 to verify both the certificate and the signature of the downloaded installer,” Ho added. The newest version, 8.9.1, includes even more security enhancements.