The developers of Notepad++, an open code editor for the Windows platform, published an analysis of an incident that compromised the provider’s network infrastructure and some users. The attack involved spoofed executable files downloaded using the WinGUp automatic update delivery system.
The attack was carried out by selectively redirecting traffic between the user and the update download server. A vulnerability in the verification mechanism of downloaded updates allowed an attacker to spoof the update manifest, initiating a download request for a fictitious update along with associated metadata to verify integrity.
An additional analysis revealed that the attack was orchestrated at the hosting provider infrastructure level, enabling attackers to intercept and redirect traffic to the notepad-plus-plus.org domain. The attackers selectively provided certain users with a spoofed manifest containing update information. The attack began in June 2025 and persisted until December 2.
The attack was made possible by hacking the shared hosting server that hosted the notepad-plus-plus.org website. Despite closing the loophole on September 2, attackers could still redirect requests to their servers until December 2. Subsequently, the Notepad++ website was transferred to a more secure hosting provider.
In response to the incident, Notepad++ version 8.8.9 introduced mandatory checks of digital signatures and certificates for downloaded files. Release 8.9.2, expected within a month, will include digital signature verification for the XML manifest returned by the update delivery server.