Under Siege: Notepad++ Updates Compromised for Months, Potentially Serving Chinese Interests

Notepad++ users may have inadvertently downloaded a dangerous update last year following a security breach on the app’s shared hosting servers. The app’s developer, Don Ho, recently disclosed more details about the incident, revealing that the hackers responsible were likely a Chinese state-sponsored group. The breach lasted for approximately six months, from June to December 2nd, 2025.

According to Ho’s update, the attack originated from the app’s former hosting provider, where traffic from specific users was redirected to malicious servers hosting fake update manifests. This allowed the hackers to replace legitimate updates with malicious executables, potentially granting them remote access to users’ devices, as cybersecurity expert Kevin Beaumont explained.

The attackers targeted specific individuals, particularly those with interests in East Asia, indicating a high level of selectivity in their approach. While the security vulnerability posed a significant threat, it appears that the hackers were more focused on surveilling particular targets rather than casting a wide net.

Although the exact timeline of when the developer became aware of the breach was not specified, Ho confirmed that all unauthorized access was terminated by December 2nd. Notepad++ has since implemented enhanced security measures in its updater to prevent tampering and ensure the authenticity of updates.

To safeguard against potential risks, Notepad++ users are advised to update to version 8.8.9 or later, directly from the official website. Additionally, users should verify that they are not using unofficial versions of the software, monitor the activity of the app’s updater, and check for any suspicious files in their TEMP folder.

In a notable stance against the Chinese government, Don Ho released a version of Notepad++ in 2019 dubbed the “Free Uyghur” edition, which led to DDoS attacks on his website. This incident underscores the ongoing importance of cybersecurity vigilance and the need to stay informed about potential threats.