Notepad Update Server Hacked In Sophisticated Supply Chain Attack

The Notepad++ community was left reeling yesterday when the project announced that its update server had been covertly hijacked in a sophisticated supply chain attack. The breach, which began in June 2025, exposed a subset of users to malicious installers delivered through the editor’s built-in updater. According to Notepad++, attackers - which it claims were “likely a Chinese state-sponsored group” - gained the ability to selectively redirect update requests from specific users to attacker-controlled servers.

Those victims were then served with a manipulated update manifest that pointed to a trojanized installer instead of the legitimate release. This was not a simple case of a mass compromise, as Notepad++ claims that the attack was “targeted”, with users “selectively redirected” to these attacker-controlled update manifests. As a result, users who manually downloaded installers from the official website were not affected, and most update requests continued to resolve normally.

It appears as though the attackers intercepted traffic at the hosting layer used by the update service, enabling them to discriminate between targets in real-time. This level of sophistication suggests that the attack was carefully planned and executed, with the attackers using their knowledge of the Notepad++ ecosystem to exploit vulnerabilities in the update process.

Notepad++’s shared hosting provider revealed that the shared server hosting “getDownloadUrl.php” was compromised until September 2, at which point scheduled kernel and firmware updates removed the attackers’ direct access. However, the provider said that the attackers retained credentials for internal services on the server until December 2, allowing them to continue redirecting some update traffic even after the initial compromise had been remediated.

The attackers specifically targeted the Notepad++ domain and showed no interest in other customers on the same server. This level of focus suggests that the attackers were motivated by a specific goal, rather than simply looking for easy targets. It also highlights the importance of robust security measures, as not all users who relied on the built-in updater were affected.

Backing up Notepad++’s claims, the attack has since been linked to a long-running Chinese espionage group, Lotus Blossom, by Rapid7. Active since 2009, the group has been linked to attacks on government, elecom, media, and aviation across Southeast Asia and Central America. “Our investigation identified a security incident stemming from a sophisticated compromise of the infrastructure hosting Notepad++, which was subsequently used to deliver a previously undocumented custom backdoor,” Rapid7’s report says.

The discovery of this attack has significant implications for the cybersecurity community. It highlights the importance of staying vigilant, even for seemingly secure projects like Notepad++. It also underscores the need for robust security measures, such as regular updates and patching, to protect against sophisticated attacks.

Notepad++ has since introduced stricter validation checks that verify both the digital signature and certificate of downloaded installers, preventing updates from proceeding if verification fails. Users who downloaded installers directly from its official website were not affected by the compromised redirect, while those who rely on the built-in updater can upgrade to the latest release to pick up the stricter verification flow for future updates.

In light of this attack, users are advised to exercise caution when updating their software, especially those that rely on automated update processes. It is also essential to keep software and systems up-to-date, as well as to use reputable sources for downloads and installations. By taking these precautions, individuals can significantly reduce the risk of falling victim to sophisticated attacks like the one targeted at Notepad++.

The incident also raises questions about the responsibility of software developers and their role in protecting users from security threats. While Notepad++ has taken steps to address the issue, it is essential for other projects to follow suit and prioritize security in their development processes. This includes implementing robust validation checks, conducting regular security audits, and staying informed about emerging threats.

The attack on Notepad++ serves as a wake-up call for the cybersecurity community, highlighting the importance of staying vigilant and taking proactive measures to protect against sophisticated attacks. By working together, individuals and organizations can create a more secure digital landscape and reduce the risk of falling victim to targeted attacks like this one.

A robust security posture is critical in today’s digital world, where threats can come from anywhere. The Notepad++ attack highlights the need for developers to prioritize security and take proactive steps to protect their users. By doing so, they can help create a safer online environment for everyone.

Software updates are no longer just a matter of convenience; they have become a critical aspect of maintaining cybersecurity. Regular updates and patching can significantly reduce the risk of falling victim to attacks like the one targeted at Notepad++. This is especially true for users who rely on automated update processes, as they may not be aware of potential vulnerabilities in their software.

The attack on Notepad++ has significant implications for the software development community. It highlights the need for developers to prioritize security and take proactive steps to protect their users. By implementing robust validation checks, conducting regular security audits, and staying informed about emerging threats, developers can help create a safer digital landscape.

As the cybersecurity landscape continues to evolve, it is essential for individuals and organizations to stay vigilant and take proactive measures to protect against sophisticated attacks. By working together, we can create a more secure digital environment that reduces the risk of falling victim to targeted attacks like this one.