 (3).png)
1 day ago
1
ARTICLE AD BOX
Notepad++ says its update system was reportedly hijacked for months in a targeted cyber campaign linked to suspected Chinese state backed hackers, who redirected select users to malicious servers. The breach has been contained, with stronger security checks and update protections now in place.
By Livemint
For about a decade, Livemint—News Desk has been a credible source for authentic and timely news, and well-researched analysis on national news, business, personal finance, corporates, politics and geopolitics. We bring the latest updates on all the listed companies on BSE and NSE, startups, mutual funds, Union ministries, geopolitics, and untapped human interest stories from around the world, helping our readers to stay informed on the latest developments around the globe. Our Coverage Areas 1. Companies: Comprehensive news and analysis on listed and unlisted companies, corporate announcements, corporate chatter, C-suite, business trends, hiring alerts, layoffs, work-life balance, world's top billionaires and richest and more. 2. Personal finance: Insights into mutual funds, small savings schemes like - PPF, SSY, post office savings scheme, stock to watch, personal loans, credit cards, top bank FDs, real estate, income tax and more. 3. Politics: Comprehensive coverage of general elections, state elections and bypolls, Lok Sabha, Vidhan Sabha, Parliament, PMO, PIB, finance ministry, home ministry, among other union ministries and government departments. 4. National News: From metro cities like Delhi, Mumbai, and e to untapped stories from rural India, we cover human interest, health, education, crime and courts, and law and order, among other areas of public interest. 5. Economy: In-depth analysis of India's macro and micro-economic indicators like- GDP, inflation, forex, fiscal deficit, current account deficit, interest rate cycle, economic recovery, RBI circulars, indirect taxes, GST, Insolvency and Bankruptcy imports, exports and everything that impacts Indian economy. 6. Geopolitics: Well-rounded and deeply researched coverage on US News, Oval Office European Union, Ukraine Russia War, middle-east crisis, royal families and global leaders like - Donald Trump, Vladimir Putin, Kim Jong Un, Xi Jinping and premiers of other leading economies in the world. Meet the Team 1. Gulam Jeelani, Political Affairs Editor 2. Sugam Singhal, Senior Assistant Editor 3. Chanchal, Assistant Editor 4. Sanchari Ghosh, Chief Content Producer 5. Pratik Prashant Mukane, Chief Content Producer 6. Sayantani Biswas, Chief Content Producer 7. Ravi Hari, Deputy Chief Content Producer 8. Garvit Bhirani, Deputy Chief Content Producer 9. Akriti Anand, Senior Content Producer 10. Jocelyn Felix Fernandes, Senior Content Producer 11. Swastika Das Sharma, Content Producer 12. Mausam Jha, Content Producer 13. Riya R Alex, Trainee Content Producer
The developer of Notepad++ has reportedly noted that its software update mechanism was covertly hijacked for several months last year, with evidence suggesting the operation was carried out by a Chinese state sponsored threat group.
According to Bleepingcomputer, attackers intercepted and selectively redirected update requests, steering certain users towards malicious servers and delivering tampered update information. The breach is believed to have begun in June 2025 and continued until early December.
Selective targeting of users
Rather than launching a broad attack, the intruders reportedly focused on specific victims. Security experts assisting the investigation said the redirections were highly selective, affecting only chosen systems rather than the wider Notepad++ user base.
Reportedly, researchers noted that this narrow scope, combined with the sophistication of the intrusion, points to a state backed actor. Multiple independent analysts concluded the activity was likely linked to a Chinese government aligned group.
The attackers are said to have exploited weaknesses in older versions of Notepad++’s WinGUp update tool, which lacked sufficient verification checks for update files.
Hosting provider compromise
Logs from the hosting provider may indicate that the server supporting Notepad++’s update application was compromised. This reportedly allowed the attackers to manipulate traffic and deliver malicious update manifests.
Reportedly, the breach temporarily stalled in early September after the server’s kernel and firmware were upgraded. However, the threat actor reportedly regained entry using internal service credentials that had not been rotated.
The unauthorised access persisted until 2 December 2025, when the hosting provider detected suspicious activity and terminated the connection.
Security fixes rolled out
In response, Notepad++ has migrated its infrastructure to a new hosting provider with stronger safeguards. The team has also rotated potentially exposed credentials, patched vulnerabilities and reviewed logs to confirm that the malicious activity has ceased.
The project previously released version 8.8.9 in December to address issues in the WinGUp updater. From that release onward, installer certificates and signatures are verified and the update XML files are cryptographically signed.
A further change is planned for version 8.9.2, which will introduce mandatory certificate signature verification for updates.
Users urged to take precautions
Although the campaign appears limited in scope, users are being advised to strengthen their security posture. Recommended steps include changing SSH, FTP/SFTP and MySQL credentials, reviewing WordPress administrator accounts, removing unnecessary users and enabling automatic updates for core software, plugins and themes.
Security researcher Kevin Beaumont previously warned that at least three organisations experienced follow up reconnaissance activity after being affected by the hijacked updates.
English (US) ·