The widely used text Notepad++ became the unwitting vector for a sophisticated cyberattack, with its update mechanism hijacked to distribute malware between June and December 2025.
While the core application remained uncompromised, the WinGUp update system was manipulated to push corrupted executables to a subset of users. Independent researchers have linked the operation to a state-sponsored group, though the exact motives remain unclear.
The developer, Don Ho, has since reinforced security measures on both the official website and update infrastructure. Users are now advised to manually download version 8.9.1 to avoid potential risks, as the latest iteration includes enhanced protections against such exploits.
Notepad++ has been a staple for developers and power users for over two decades, offering advanced features far beyond Windows’ default Notepad. The incident underscores the growing threat of supply-chain attacks, where trusted software becomes a conduit for malicious payloads.
Ho has stated that the issue has been fully addressed, though the selective nature of the targeting suggests a calculated approach by the attackers. For those concerned, disabling auto-updates or verifying downloads via the official site remains the safest course of action.
This is not the first time third-party utilities have faced such vulnerabilities. Earlier this year, WinRAR was also targeted in a similar campaign, raising questions about the broader security posture of widely used indie software.
