Notepad++ Hijacked Incident Update. WinGUp updates were selectively redirected. Learn how to verify signatures and safely upgrade to v8.9 or later. During the Notepad++ Hijacked Incident, update requests from the WinGUp updater were redirected for a subset of users. As a result, compromised binaries could be delivered instead of legitimate installers. Since then, Notepad++ has significantly hardened the update process with signature and certificate checks.
Notepad++ Hijacked Incident Update – what happened?
Notepad++ reports a targeted supply-chain incident in which attackers manipulated update traffic so that specific victims were redirected to malicious servers. Based on the current understanding, the core issue was not a classic code vulnerability in the editor itself, but rather a combination of infrastructure compromise and insufficiently strict update validation in older update paths.
The official update with background information and the current status of the investigation is available here: Notepad++ Hijacked by State-Sponsored Hackers.
Security researcher Kevin Beaumont reported that the manipulated update traffic was abused in the wild to trick selected targets into downloading malware. Multiple reports attribute the activity to China-linked actors and name “Violet Typhoon” (also tracked as APT31), with a focus on telecommunications and financial services organizations in East Asia. This should be treated as an attribution rather than a definitively confirmed actor identification.
Timeline and assessment
The publicly known details so far point to a campaign spanning several months. What matters most is that the redirection affected only a small, selectively chosen subset of update requests, which made detection more difficult.
- Observed activity began in summer 2025, with indications of selective redirects as early as June 2025
- The compromised hosting context was reportedly at least partially cleaned up by autumn 2025, while certain access paths could still be abused into December 2025
- Starting in November and December 2025, Notepad++ gradually rolled out technical countermeasures in the updater and signature verification
- Additional security improvements followed in late December 2025 and in subsequent releases
Which releases materially improved security
Notepad++ secured its update mechanism in multiple stages. The most relevant changes are those related to verification of downloaded installers.
- Notepad++ v8.8.9 introduces stricter verification by checking both the installer’s signature and certificate during the update process. If the checks fail, the update is aborted.
- Notepad++ v8.9 also removes the use of a self-signed certificate and relies exclusively on a legitimate certificate. In addition, a security error log for update issues is generated automatically.
- For integrity verification and artifact matching, the official release artifacts and checksums on GitHub Releases are suitable.
What users and organizations should do now
The most important step is to move away from older update paths and upgrade to a version that consistently enforces signature and certificate verification.
- Manually upgrade to a current Notepad++ version and obtain installation files only from official sources.
- Where possible, verify the installer’s digital signature and compare checksums against the official release artifacts.
- If a self-signed root certificate for Notepad++ was installed in the past, remove it and clean up the trust chain.
- In enterprise environments, tune telemetry and EDR rules to detect suspicious process chains around update workflows, especially when installers are launched from temporary directories.
- If an update is aborted, review the security error log and centrally correlate suspicious anomalies.
What remains unclear
Notepad++ notes that the precise technical method used for traffic redirection is still under investigation. This keeps key questions open, including the extent to which network paths, hosting infrastructure, or upstream dependencies were exploited, and how many users were actually affected.
