Notepad++ at the Center of a Cyberattack Campaign

Notepad++ at the Center of a Cyberattack Campaign

Notepad++ has a new hosting provider.

Its developer disclosed this as part of a status update on an attack it endured last year.

Between June and November, users were targeted through WinGUp, the built-in update manager.

This tool does not fetch the updates directly. It connects to a URL that serves an XML file containing the download link.

Read also: Notepad++ compromised: the specifics of a three-phase campaign

By compromising the shared server hosting this URL, third parties—described as “probably” in league with China—were able to intercept the traffic. They then modified the download link and thus distributed malicious files… which the update manager did not sufficiently verify for authenticity.

At the beginning of September, after a maintenance operation (update of the kernel and the firmware), the attackers lost access to the server. They nevertheless retained, for several weeks, the credentials for the hosted services.

The campaign is believed to have ended on November 10. A handful of victims are known, all with interests in East Asia. A possible consequence of the Notepad++ developer’s political statements. A number of new versions were indeed accompanied by messages of support for the Uyghurs or for Taiwan’s independence.

Notepad++, strengthened in multiple stages

The Notepad++ version 8.8.8, released mid‑November, introduced the first fix. It forces the domain prefix of the URL to prevent on-the-fly modification.

WinGUp force URL

Early December, the 8.8.9 release strengthened the authenticity and integrity validation of downloaded files.

Notepad++ vérification certificat signature installeur

WinGUp vérification certificat signature installeur

The 8.9.2 release, expected in about a month, will add verification of the certificate and the signature of the XML file.

The 8.8.7 release introduced the signing of all binaries (including WinGUp) with a GlobalSign certificate. Since then, there is no longer a need to install Notepad++’s root certificate. This has helped avoid false positives (there have been reports of blocks by Avast, Defender, Trellix, etc.).

For additional reading, a piece on protestware (the hijacking of software for political purposes) published shortly after the start of the war in Ukraine.

Dawn Liphardt

Dawn Liphardt

I'm Dawn Liphardt, the founder and lead writer of this publication. With a background in philosophy and a deep interest in the social impact of technology, I started this platform to explore how innovation shapes — and sometimes disrupts — the world we live in. My work focuses on critical, human-centered storytelling at the frontier of artificial intelligence and emerging tech.

© 2025 Dawn Liphardt