Chinese state‑linked actors compromised Notepad++ update infrastructure

Threat summary

On February 2, 2026, the developer of Notepad++ detailed a supply-chain compromise affecting the project’s update infrastructure. Researchers attributed the activity to a Chinese state-sponsored group based on targeting patterns, infrastructure analysis, and victimology.

Notepad++ is a widely used free text and source-code editor deployed across enterprise environments for scripting, configuration management, and development workflows.

Between June and December 2025, the threat actor gained unauthorized access to a specific shared instance hosted by the project’s former shared hosting provider, OVH, a France-based cloud and hosting company.

During this period, selected organizations were redirected to malicious servers delivering tampered installers. There is no indication that OVH’s broader infrastructure was compromised; reporting confirms only the targeted shared hosting environment was affected.

The delivery of malicious installers was enabled by a lack of verification in WinGUp, the standalone update mechanism bundled with Notepad++. WinGUp was responsible for checking for new versions, retrieving update manifests, and downloading installers from the project’s remote update servers. Because the update servers were part of a compromised shared‑hosting instance, the threat actors were able to manipulate the backend infrastructure WinGUp communicated with, which included altering update manifests, replacing installers, and redirecting requests to attacker‑controlled servers.

As a result, users whose update traffic happened to route through the compromised hosting environment were exposed to the attacks.

Affected organizations included enterprises in the telecommunications and financial services sectors across East Asia. While broader exposure cannot be ruled out, available reporting suggests the adversary focused on specific targets rather than conducting indiscriminate distribution.

To mitigate the compromise, the project released several updates. On December 9, 2025, version 8.8.9 introduced strengthened signature and certificate verification for downloaded installers, closing the attack vector by enforcing stricter validation of update packages. On December 27, 2025, version 8.9 replaced a self-signed certificate with a GlobalSign-issued certificate to prevent further abuse.

Analysis & mitigation

Although the upstream issue has been resolved, organizations that used Notepad++ between approximately June and December 2025 could potentially still face residual risk. The most reliable method to reduce the risk is to update all installations, remove the old certificate, and review historical installer execution activity.

Field Effect MDR clients are well-protected with layered visibility across endpoints, network traffic, and post-compromise behavior that provides strong coverage against the tactics used in this type of supply-chain compromise.

Organizations can reduce exposure by updating all Notepad++ installations to version 8.9 or later, which enforces certificate-based validation of update packages. Reviewing endpoint logs for any Notepad++ installer executions during the affected window remains the strongest indicator of compromise.

Additional recommendations include:

• Monitoring for unexpected outbound connections to update endpoints

• Enforcing application allow-listing for update mechanisms

• Distributing Notepad++ through centralized software deployment rather than client-initiated auto updates

Continuous monitoring of third-party software supply chain dependencies remains essential for reducing exposure to similar infrastructure-level compromises.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up