Full Report
Between June and late 2025, threat actors compromised the shared hosting infrastructure used by Notepad++ and selectively hijacked update traffic destined for notepad-plus-plus.org. Rather than exploiting a vulnerability in Notepad++ code, the attackers abused access at the ho...
Analysis Summary
# Incident Report: Notepad++ Update Traffic Hijacking via Hosting Compromise
## Executive Summary
Threat actors successfully compromised the shared hosting infrastructure utilized by Notepad++ between June and late 2025. The attackers exploited this infrastructure access to selectively hijack legitimate update traffic for Notepad++, redirecting targeted users to malicious update servers. The incident was fully remediated by December 2, 2025, resulting in Notepad++ migrating hosting providers and implementing stricter update verification.
## Incident Details
- Discovery Date: Not explicitly stated, but response concluded December 2, 2025.
- Incident Date: June 2025 through late 2025 (specifically, access loss noted by early September 2025, credential retention until early December 2025).
- Affected Organization: Notepad++ (notepad-plus-plus.org)
- Sector: Software Development / Open Source Tools
- Geography: Undisclosed hosting provider location, affecting global user base.
## Timeline of Events
### Initial Access
- Date/Time: Initiated in June 2025.
- Vector: Compromise of Notepad++'s shared hosting infrastructure at the server/hosting provider level.
- Details: Attackers abused existing access within the hosting environment.
### Lateral Movement
- Details: The primary technique involved abusing established hosting access to intercept and redirect traffic, rather than internal network lateral movement within the Notepad++ development environment itself. Attackers retained credentials to internal hosting services until early December 2025.
### Data Exfiltration/Impact
- Impact: Supply-chain compromise focused on redirecting users to malicious update manifests/servers, aiming to distribute malicious updates to targeted Notepad++ users.
### Detection & Response
- Detection: Not explicitly detailed, but remediation finalized by December 2, 2025.
- Response actions taken: The incident was fully remediated by December 2, 2025. Notepad++ migrated hosting providers and significantly hardened update verification mechanisms.
## Attack Methodology
- Initial Access: Compromise of the shared hosting infrastructure provider.
- Persistence: Attackers retained credentials to internal hosting services until early December 2025, enabling continued malicious operations while server access was reportedly lost by early September 2025.
- Privilege Escalation: N/A, access was gained via compromise of an existing infrastructure relationship (hosting provider).
- Defense Evasion: The attack operated at the infrastructure level, intercepting legitimate update traffic rather than exploiting the application code directly.
- Credential Access: Credential theft was used against internal hosting services, allowing continued access.
- Discovery: Not detailed.
- Lateral Movement: Abuse of hosting provider access to redirect traffic.
- Collection: Interception of update traffic manifests.
- Exfiltration: Redirection of targeted users to attacker-controlled servers serving malicious update manifests.
- Impact: Supply chain attack leading to potential malware distribution via software updates.
## Impact Assessment
- Financial: Not detailed.
- Data Breach: Not detailed, the primary goal was software supply chain manipulation.
- Operational: Interception/redirection of update traffic.
- Reputational: Potential trust erosion due to software supply chain incident.
## Indicators of Compromise
- Network indicators (defanged): Redirects targeting `notepad-plus-plus.org` update streams to external, attacker-controlled servers.
- File indicators: Malicious update manifests served by attackers.
- Behavioral indicators: Selective hijacking of update traffic associated with Notepad++.
## Response Actions
- Containment measures: Not detailed, but included loss of server access by early September 2025.
- Eradication steps: Full remediation achieved by December 2, 2025.
- Recovery actions: Migration to new hosting providers; significant hardening of update verification mechanisms.
## Lessons Learned
- Shared hosting environments significantly increase supply-chain risk when infrastructure access is leveraged for targeting.
- The persistence of retained credentials (until December 2025) highlights the danger of lingering access even after the primary point of compromise is addressed.
- Reliance on infrastructure-level security controls must be supplemented by application-level verification.
## Recommendations
- Implement strong multi-factor authentication and strict access controls for all hosting providers.
- Migrate critical services away from shared hosting environments when possible, or implement segmentation between core code distribution and general infrastructure.
- Enhance update verification mechanisms (e.g., cryptographic signing of update manifests) to validate integrity regardless of the source delivery path.