Notepad++ Hijacked by State-Sponsored Hackers — The Truth Behind the Software Update Chain Attack

 

🔐 Notepad++ Hijacked by State-Sponsored Hackers — The Truth Behind the Software Update Chain Attack

Published: February 3, 2026

📈 Global Search Trends

Search volume for this keyword is currently on the rise.

Country Search Volume
🇺🇸 United States (US) 10K+
🇨🇦 Canada (CA) 2K+
🇦🇺 Australia (AU) 500+
🇹🇼 Taiwan (TW) 100+
🇰🇷 South Korea (KR) 100+

Why Is Notepad++ Making Headlines Right Now?

On February 2, 2026, Don Ho, the developer behind the open-source text editor used by tens of millions worldwide — Notepad++ — made a shocking official announcement. A state-sponsored hacker group linked to the Chinese government had taken control of Notepad++'s software update mechanism for approximately six months, distributing malware to certain users during that period.

Following the announcement, search volumes related to Notepad++ have increased across multiple countries. The United States alone recorded over 10,000 searches in a single day, with Canada (2K+), Australia (500+), Taiwan and South Korea (100+ each) also seeing a notable uptick. This reflects growing concern among developers and corporate security professionals about the incident.

How the Attack Unfolded

Phase 1 — Hosting Server Compromise (June 2025)

The attack began in June 2025. The hackers breached the shared hosting server where the official Notepad++ website was hosted. The compromise did not occur through a vulnerability in the Notepad++ application's code itself, but rather at the infrastructure level of the hosting environment.

Phase 2 — Update Traffic Redirection

The hackers specifically targeted Notepad++'s update endpoint, getDownloadUrl.php. This endpoint is the critical pathway used by Notepad++'s built-in updater, WinGUp, to download new versions. By redirecting certain users' update requests to attacker-controlled servers, the hackers delivered trojanized installation files instead of legitimate updates.

Phase 3 — Extended Persistence and Termination (September – December 2025)

According to the hosting provider, the shared server remained compromised until September 2, 2025. A scheduled maintenance update to the kernel and firmware cut off the attackers' direct server access. However, having already obtained credentials for internal services, the hackers were able to continue manipulating update traffic until December 2, 2025. Independent security researchers have assessed that actual malicious activity ceased around November 10, 2025.

Behind the Attack — Chinese State-Sponsored Hacker Groups

Security researcher Kevin Beaumont was the first to identify the incident, and multiple independent researchers have attributed the attack to Chinese state-sponsored groups, specifically Lotus Blossom (APT31) or Violet Typhoon (Zirconium).

According to an investigation by security firm Rapid7, the primary targets were organizations in the government, telecommunications, aviation, critical infrastructure, and media sectors — particularly those tied to East Asian interests. Beaumont noted that "at least three organizations experienced security incidents in which the Notepad++ process was used as a vector for initial access."

The attack follows a pattern consistent with the SolarWinds attack (2019–2020), a well-known software supply chain compromise.

Notepad++'s Response and Security Measures

The Notepad++ development team responded swiftly and proactively to the incident.

Security patches by version:

  • v8.8.8 (November 2025): Update download sources restricted exclusively to GitHub, blocking external redirection.
  • v8.8.9 (December 9, 2025): Digital signature and certificate verification enforced; unsigned installation files can no longer be executed.
  • v8.9 (Current): Self-signed certificates have been deprecated; only official GlobalSign certificates are now accepted.
  • v8.9.2 (Upcoming): Mandatory certificate signature verification based on XMLDSig to be introduced.

In addition, Notepad++ migrated to a new hosting provider with stronger security capabilities and regenerated all credentials that could have been obtained by the attackers.

Security Checklist for Notepad++ Users

If you are currently using Notepad++, the following steps are recommended:

  1. Update to the latest version (v8.9 or later) immediately — Perform the update via manual installation.
  2. Remove any existing self-signed root certificates — If a self-signed certificate was installed in versions after v8.8.3, delete it.
  3. Corporate environments: Block internet access for notepad-plus-plus.org or the gup.exe process, and manage updates through an internal package management system.
  4. Verify digital signatures — Confirm that the digital signature on any downloaded installation file is valid before running it.

What This Incident Teaches Us

The Notepad++ incident is not simply a problem with one piece of software. It is a case that once again underscores the importance of Software Supply Chain Security. The source code of Notepad++ itself was never compromised — it was a vulnerability at the infrastructure level of how updates were delivered that ultimately determined the success of the attack.

The increase in search volume and attention across the United States, Canada, Australia, Taiwan, South Korea, and other nations is a signal that global concern over software supply chain security is growing. The reason this incident has drawn significant attention is that Notepad++ is a tool used by tens of millions of developers and organizations worldwide.

Sources and References

🔗 Related Trend Links (TrendNow)

For more detailed search trend information, visit the TrendNow links below:

👉 TrendNow — Notepad++ Trend (Australia)

TrendNow Homepage: https://trend-now.org

Comments

Post a Comment

Popular posts from this blog

Moltbook: The AI-Only Social Network Taking the World by Storm

  Moltbook: The AI-Only Social Network Taking the World by Storm Global Search Volume Surge On January 30, 2026, search interest in 'Moltbook' exploded worldwide. Here's the breakdown by country: 🇺🇸 United States: 20,000+ searches 🇹🇷 Turkey: 10,000+ searches 🇨🇦 Canada: 2,000+ searches 🇫🇷 France: 2,000+ searches 🇬🇧 United Kingdom: 2,000+ searches 🇧🇷 Brazil: 1,000+ searches 🇩🇪 Germany: 1,000+ searches 🇪🇸 Spain: 1,000+ searches 🇦🇺 Australia: 500+ searches 🇮🇳 India: 500+ searches 🇲🇽 Mexico: 200+ searches 🇮🇹 Italy: 100+ searches 🇰🇷 South Korea: 100+ searches 🇸🇦 Saudi Arabia: 100+ searches What is Moltbook? Moltbook is a revolutionary social network platform launched on Wednesday, January 30, 2026. What makes it unique is that all users on this platform are AI agents. Humans can only observe, while posting, commenting, and upvoting are exclusively performed by AI agents. Created earlier this week by developer and entrepreneur Matt ...
Read more

Intriguing Patterns in Google Search Trends: Analysis of 'test' and MetaMask Search Terms

Image
Introduction While analyzing Google Trends data, I discovered an interesting pattern. On January 15, 2026, searches for the term "test" were observed simultaneously across multiple countries. I couldn't figure out why people were searching for the seemingly meaningless term "test" at that time. And today (January 18th), searches for the Japanese term "MetaMask" appeared in multiple non-Japanese-speaking countries, so I'm writing this because I believe it's reasonable to suspect a connection between the search term "test" and the Japanese term "MetaMask." Simultaneous global appearance of the search term 'test' Observed Patterns The search term 'test' appeared simultaneously in 13 countries on January 15, 2026. Possible Interpretations Several possibilities can be considered for this pattern: Technical Testing : Could be part of a testing process for bots or automated systems Coincidence : Independent...
Read more

Bitcoin Price Plunge — January 31, 2026

  Bitcoin Price Plunge — January 31, 2026 Published: January 31, 2026 What Is the Current Bitcoin Price? As of January 31, 2026, Bitcoin (BTC) is trading in the $78,000–$82,000 range. After dipping below $81,000 over the weekend, the price saw a slight bounce but has remained broadly unstable. This represents a decline of approximately 36% from its all-time high of $126,198 , recorded on October 6, 2025. Bitcoin's market capitalization currently stands at roughly $1.56 trillion , while the total cryptocurrency market cap has pulled back slightly from around $3.06 trillion . How Many People Are Searching for This? Keywords such as "bitcoin price," "bitcoin crash," and "bitcoin price today" recorded high search volumes across 18 countries in late January 2026. Country Search Volume 🇺🇸 United States (US) 100K+ 🇹🇷 Turkey (TR) 8K+ 🇨🇦 Canada (CA) 7K+ 🇬🇧 United Kingdom (GB) 5K+ 🇧🇷 Brazil (BR) 3K+ 🇫🇷 Franc...
Read more