""The attack involved [an] infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org," developer Don Ho said. "The compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself." The exact mechanism through which this was realized is currently being investigated, Ho added."
"Specifically, the problem stemmed from the way the updater verified the integrity and authenticity of the downloaded update file, allowing an attacker who is able to intercept network traffic between the updater client and the update server to trick the tool into downloading a different binary instead. It's believed this redirection was highly targeted, with traffic originating from only certain users routed to the rogue servers and fetching the malicious components."
"The incident is assessed to have commenced in June 2025, more than six months before it came to light. Independent security researcher Kevin Beaumont revealed that the flaw was being exploited by threat actors in China to hijack networks and deceive targets into downloading malware. In response to the security incident, the Notepad++ website has been migrated to a new hosting provider."
State-sponsored attackers compromised hosting-provider infrastructure to intercept and redirect Notepad++ updater traffic destined for notepad-plus-plus.org to malicious servers. The WinGUp updater occasionally fetched poisoned executables because the updater's update-file integrity and authenticity verification could be bypassed when network traffic was intercepted. The redirection appeared highly targeted, affecting certain users and beginning in June 2025, remaining undetected for months. The shared hosting server stayed compromised until September 2, 2025, and attackers retained internal credentials until December 2, 2025. The Notepad++ website has been migrated to a new hosting provider and investigations into the exact mechanism continue.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]