Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

Nation-state hack exploited hosting infrastructure to hijack Notepad++ updates

Notepad++ maintainer says nation-state attackers hijacked the app’s update system by redirecting traffic at the hosting provider level. The Notepad++ maintainer revealed that nation-state hackers compromised the hosting provider’s infrastructure, redirecting update traffic to malicious servers. The attack did not exploit flaws in Notepad++ code but intercepted updates before they reached users. “According to the […]

Notepad++

Notepad++ maintainer says nation-state attackers hijacked the app’s update system by redirecting traffic at the hosting provider level.

The Notepad++ maintainer revealed that nation-state hackers compromised the hosting provider’s infrastructure, redirecting update traffic to malicious servers. The attack did not exploit flaws in Notepad++ code but intercepted updates before they reached users.

“According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org.” reads the advisory published by the software maintainers. “The exact technical mechanism remains under investigation, though the compromise occured at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests.”

The incident began in June 2025 and was linked by multiple researchers to a likely Chinese state-sponsored group, based on its highly selective targeting. Attackers compromised a shared hosting server until September 2, 2025, and later used stolen internal credentials to redirect Notepad++ update traffic to malicious servers until December 2.

The hosting provider moved all affected customers to a new server, fixed the vulnerabilities that were abused, and rotated all credentials that may have been exposed.

After completing these actions, the provider reviewed system logs and confirmed there was no evidence of continued attacker access or malicious activity.

The security expert found the attack ended on November 10, 2025, while the hosting provider reported possible attacker access until December 2. Combining both assessments, the compromise likely lasted from June to December 2, 2025.

The maintainers apologized to affected users and moved the Notepad++ site to a more secure hosting provider. The updater was strengthened to verify installer certificates and signatures, with signed update data and stricter checks fully enforced in the upcoming v8.9.2 release.

“The security exper’s analysis indicates the attack ceased on November 10, 2025, while the hosting provider’s statement shows potential attacker access until December 2, 2025.” concludes the advsory. “Based on both assessment, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Notepad++)