Between June and late 2025, threat actors compromised the shared hosting infrastructure used by Notepad++ and selectively hijacked update traffic destined for notepad-plus-plus.org. Rather than exploiting a vulnerability in Notepad++ code, the attackers abused access at the hosting-provider level to intercept requests and redirect targeted users to attacker-controlled servers serving malicious update manifests. The campaign was highly selective, affecting only specific users and focusing exclusively on the Notepad++ domain.
Multiple independent researchers assess the activity as likely conducted by a Chinese state-sponsored group, based on the precision of targeting and operational discipline. Although server access was reportedly lost by early September 2025, the attackers retained credentials to internal hosting services until early December 2025, enabling continued traffic redirection. The incident was fully remediated by December 2, 2025, and Notepad++ has since migrated hosting providers and significantly hardened its update verification mechanisms.