Notepad++ says it was hijacked by Chinese state-sponsored hackers

Last year, the creator of Notepad++ rolled out an update for the text and source code editor after security experts reported that bad actors were hijacking its update mechanism to redirect traffic to malicious servers. It led to users downloading compromised executables that could infect their devices. Now, Don Ho has revealed that multiple security experts investigated the breach and determined that the threat actor “is likely a Chinese state-sponsored group.” He said it explained why experts observed highly selective targeting during the campaign and why only traffic from certain users were redirected so that they would download malicious files. It’s not clear what kind of users were specifically targeted and what the files did to their devices.

The attackers started redirecting traffic from Notepad++ to their servers sometime in June 2025, and that went on until December 2. Their method involved compromising the system ...