Notepad++ Updates Hijacked: What Users Need to Know

Notepad++ users may have unknowingly downloaded a malicious update after the app’s servers were hijacked for six months. According to developer Don Ho, the attack, which lasted from June to December 2025, was likely orchestrated by a state-sponsored group. This breach allowed hackers to selectively target users and potentially access sensitive data, raising serious concerns about software supply chain security.

If you’ve been using Notepad++ during this period, it’s essential to verify your version and ensure you’re running the latest, secured update. Here’s what you need to know about the attack and how it could have affected users.

How the Notepad++ Hack Happened

The breach occurred on the app’s shared hosting servers, which were controlled by an unnamed provider at the time. Hackers managed to redirect traffic from specific users to malicious servers. Once redirected, victims received a compromised update instead of the legitimate version.

Cybersecurity expert Kevin Beaumont explained that the attack “may have given the hackers remote access to a victim’s keyboard.” The compromise demonstrates how software supply chains remain a prime target for sophisticated cyberattacks.

Targeted Attacks, Not Random Users

Don Ho noted that the attack involved “highly selective targeting,” meaning not every user was affected. Victims identified so far include organizations with interests in East Asia, suggesting a potential espionage motive rather than a general malware campaign.

This selective approach shows hackers are increasingly focusing on high-value targets, making supply chain attacks more dangerous than traditional malware attacks. It also underlines the importance of verifying software sources, even for widely trusted applications like Notepad++.

Steps Taken to Secure Notepad++

By December 2, 2025, all attacker access was definitively terminated, according to the developer. The Notepad++ update system has since been fortified with stronger security measures, including integrity checks and validation processes to prevent future tampering.

Users are advised to upgrade to at least version 8.8.9, which contains these security improvements. Installing updates directly from the official Notepad++ website remains the safest way to avoid potential threats.

Why This Matters for Users

Even though the hack targeted specific organizations, casual users could still have been at risk. Supply chain attacks like this one highlight how a trusted application can become a conduit for cyber espionage if proper security measures aren’t in place.

For tech enthusiasts, developers, and organizations alike, this incident is a reminder to remain vigilant. Regularly updating apps, verifying sources, and monitoring security advisories can reduce the risk of becoming a target in similar attacks.

Protecting Yourself from Future Threats

To stay safe, Notepad++ users should:

• Ensure their software is updated to version 8.8.9 or higher.

• Download updates exclusively from official sources.

• Be cautious of unusual app behavior or update prompts.

• Monitor for security advisories from reputable sources.

While the Notepad++ incident appears contained, it underscores the growing risk of software supply chain attacks. Users must take proactive steps to secure their systems and sensitive information.

The Notepad++ server hijack demonstrates how even trusted applications can be exploited for months without user knowledge. By understanding the attack, updating to secure versions, and following basic cybersecurity practices, users can safeguard themselves against future supply chain threats.