Notepad++, a free open source text and code editor for the Windows operating system, suffered an "infrastructure-level compromise" last year by threat actors seeking to deliver malware to selected users.
A post-mortem of the incident which started in June 2025, and which was reported to Notepad++ by security researchers, suggested the shared hosting server for the text editor was compromised until December 2 last year.
This was in conjunction with a vulnerability in older versions of Notepad++ discovered in 2025.
— Florian Roth ⚡️ (@cyb3rops) February 2, 2026Rapid7 dropped a write-up on the Notepad++ update-chain abuse and - finally - it comes with real IOCs
- update.exe downloaded from 95.179.213[.]0 after notepad++.exe -> GUP.exe
- file hashes for update.exe / log.dll / BluetoothService.exe / conf.c / libtcc.dll
- network IOCs… https://t.co/VHTF3pngJn pic.twitter.com/UlLkyZM6eC
The compromise officially came to light last year, when the Notepad++ developer Don Ho announced the release of version 8.8.9 which contained a fix for a traffic hijacking vulnerability.
"... Traffic from WinGUp (the Notepad++ updater) was occasionally redirected to malicious servers, resulting in the download of compromised executables," Ho wrote.
A weakness in the way WinGUP validated the integrity and authenticity of the update file allowed an attacker to intercept network traffic between the downloaded code and the Notepad++ infrastructure.
In turn this could be abused by an attacker to make the updater to download and run a malicious binary file, instead of the expected, legitimate Notepad++ one.
Unnamed Chinese state-sponsored threat actors selectively targeting specific Notepad++ users are thought by security researchers to be behind the attack.
Notepad++ has now moved to new hosting provider with "significantly stronger security practices" so as to prevent a repeat of the compromise.
Better certificate and signature verification has been added to the WinGUP updater to ensure the integrity of the downloaded Notepad++ installer.
Notepad++ version 8.9.1 contains the security fixes, and Ho suggested updating the text editor manually as well.
Update Security vendor Rapid7 has published its research into what it said was a "sophisticated compromise of the infrastructure hosting Notepad++".
Rapid7 attributed the attack to a Chinese advanced persistent threat (APT) group code named Lotus Blossom, which has been active since 2009, based on technical aspects from earlier activity.
Lotus Blossom sought to deliver an undocumented backdoor in the attack, named Chrysalis, but Rapid7 said it has no evidence that bulk data exfiltration took place, only selective access.