Full Report
In a security update posted on the project’s website, the development team said the attack did not exploit a flaw in the editor’s source code itself. Instead, the compromise occurred at the infrastructure level, involving systems used to deliver software updates.
Analysis Summary
# Incident Report: Notepad++ Infrastructure Hijacking
## Executive Summary
The software update infrastructure for the popular Notepad++ text editor was compromised by suspected state-sponsored actors, enabling the attackers to intercept and redirect update traffic for specific users. The attack occurred at the infrastructure delivery level, not through exploitation of the editor's source code. Following detection, the development team issued an advisory, paused the malicious activity, and migrated their update infrastructure to a new provider with enhanced security controls.
## Incident Details
- Discovery Date: Unknown (Announced publicly on February 2nd, 2026)
- Incident Date: June 2025 – December 2025
- Affected Organization: Notepad++ Project Development Team
- Sector: Software/Technology (Open Source)
- Geography: Global (Affecting users whose update traffic was redirected)
## Timeline of Events
### Initial Access
- **Date/Time:** Began approximately June 2025
- **Vector:** Compromise of the software update delivery infrastructure.
- **Details:** Attackers successfully gained control allowing them to intercept and redirect update traffic destined for `notepad-plus-plus.org`. The exact technical mechanism for gaining access is under investigation.
### Lateral Movement
- Not applicable/Not disclosed as the attack targeted external infrastructure related to distribution, not internal network penetration.
### Data Exfiltration/Impact
- **Details:** The primary impact was the redirection of selected users to malicious update servers. While the full scope of data exfiltration is not detailed, the technique mirrors supply chain attacks where specific victim profiles are targeted (similar to the ASUS ShadowHammer campaign). The incident focused on hijacking the update mechanism rather than widespread tampering with the source code.
### Detection & Response
- **How it was discovered:** Disclosed by the development team following assessments by multiple independent security researchers.
- **Response actions taken:** Developers moved update infrastructure to a new hosting provider and introduced hardening security controls in version 8.9.1. Users were urged to upgrade.
## Attack Methodology
- **Initial Access:** Compromise of update delivery infrastructure (exact technical mechanism under investigation).
- **Persistence:** Maintenance of control over the update redirection capability throughout the specified six-month window.
- **Privilege Escalation:** Not detailed, likely leveraged account compromise or vulnerability in the CDN/hosting environment controlling update traffic.
- **Defense Evasion:** The attack was "on-path," occurring after traffic left the user's computer but before reaching the legitimate server, making it difficult to detect and potentially leaving limited forensic evidence.
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed (Attribution linked to sophisticated actors based on infrastructure reuse, targeting, and operational characteristics).
- **Lateral Movement:** Not applicable (External infrastructure/supply chain focus).
- **Collection:** Highly selective redirection of update traffic targeting only a narrow set of users.
- **Exfiltration:** Implied delivery of malicious updates to targeted systems.
- **Impact:** Successful redirection of update traffic for specific users to malicious update servers.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Not disclosed if user data was directly compromised, but the integrity of the software supply chain was severely impacted. Selective targeting implies specific victims were identified.
- **Operational:** Required immediate migration of update infrastructure and forced a public apology/security advisory from the development team.
- **Reputational:** Damage to user trust in the security of the widely used open-source project's delivery mechanism.
## Indicators of Compromise
- **Network indicators:** Traffic selectively redirected from `notepad-plus-plus.org` to unknown malicious update servers (specific server IPs/domains not listed).
- **File indicators:** Not detailed (Focus was on the delivery mechanism, not the resulting payload).
- **Behavioral indicators:** On-path redirection of legitimate software update requests.
## Response Actions
- **Containment measures:** Halting the malicious redirection activity affecting users.
- **Eradication steps:** Moving the entire update infrastructure to a new, secured hosting provider.
- **Recovery actions:** Releasing Notepad++ version 8.9.1 containing additional security controls to harden the update mechanism.
## Lessons Learned
- Critical failures were identified in the security posture of the update delivery infrastructure, despite the source code security being intact.
- Supply chain security extends beyond source code repositories to include external delivery systems (CDNs, update servers).
- "On-path" attacks against infrastructure can be highly stealthy and target only a small subset of users.
## Recommendations
- Immediately upgrade to Notepad++ version 8.9.1 or newer to benefit from hardened controls.
- Implement robust, potentially multi-party verification for update traffic signing and redirection checks.
- Diversify hosting providers for critical infrastructure components (like update delivery) to mitigate single points of failure and infrastructure compromise risk.
- Enhance monitoring on update server traffic patterns for anomalies, especially concerning selective redirection patterns.