On February 2, 2026, the Notepad++ open source project disclosed new details about a supply chain compromise that impacted its update delivery infrastructure between June and December 2025. The attack was attributed to state-sponsored threat actors with links to China.
In this campaign, the threat actors had gained access to a third-party hosting provider used by Notepad++ to distribute updates. From there, they selectively redirected update requests from specific, high-value targets to attacker-controlled servers, enabling the delivery of malicious installers in place of legitimate updates.
To distribute malware in a targeted fashion, threat actors exploited insufficient verification controls in the WinGUp auto-updater, affecting Notepad++ versions 8.8.9 and earlier. Although hosting maintenance in September 2025 removed the attackers’ direct access to compromised infrastructure, they retained stolen internal credentials that would have allowed continued traffic redirection beyond that point. The malicious activity was fully identified and terminated on December 2, 2025.
In response to the incident, Notepad++ implemented containment and remediation measures in December 2025 through the release of version 8.8.9. These changes enforced mandatory certificate and digital signature verification within the updater, tightened controls over update delivery paths, and moved update services off the compromised hosting infrastructure.
Arctic Wolf has Managed Detection and Response detection coverage in place that matches several publicly known malicious behaviors associated with this campaign.
Recommendation for Notepad++ 2025 Compromise
Manually Update to a Safe Notepad++ Version
Arctic Wolf strongly recommends that customers run Notepad++ v8.8.9 or later by manually downloading the installer from the official website. Avoid using the legacy auto-updater, as older versions do not verify installer signatures and could be vulnerable.
References
