Notepad++ compromised by "state-sponsored hackers" — Here's what you need to do if you use the popular Notepad alternative

Notepad++, one of the most popular alternatives to the native Notepad app in Windows 11, has today published on its website a security disclosure stating that the app was "hijacked by state-sponsored hackers." If you have Notepad++ installed on your PC, you'll definitely want to read through it and make some necessary changes on your system.

The disclosure states that security experts discovered an "infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org."

It appears that the methods used are still being investigated internally, but the Notepad++ team is confident that the vulnerability occurred not through the app's coding but through server hosting.

As the post states, it's believed that only certain users were targeted by a "redirect to attacker-controlled" servers that were pushing "malicious update manifests." There's no indication as to how many users were targeted.

It's claimed that this hack began in June 2025, and allegations point to a Chinese state-sponsored group of bad actors. After communicating the issue with the server hosting Notepad++, it became clear that the shared hosting server was under attack for roughly four months, ending on September 2, 2025.

However, it appears that the attackers continued to hold credentials granting access to internal services for a further three months, ending on December 2, 2025. These credentials allowed the bad actors to continue shuttling traffic to malicious servers.

Here's a blurb from the Notepad++ blog explaining the process and the eventual elimination of the vulnerability:

As part of the process of addressing the vulnerability, Notepad++'s website has moved to a new host with stronger security. For the app itself, Notepad++'s updater "was enhanced in v8.8.9 to verify both the certificate and the signature of the downloaded installer."

I'm no security specialist, but it does seem like that sort of verification should have been in place already. Version 8.8.9 was just launched in December 2025 and came with a mention of the attack in its notes.

The Notepad++ team leaves a message at the bottom of the latest post offering an apology while urging users to download version 8.9.1 and install it manually to receive the new security enhancements.

With the native Windows Notepad app getting more jammed up with AI all the time, and now Notepad++ falling victim to an attack, you might want to try something like Legacy Notepad, an open-source and free alternative available on GitHub.

Do you use Notepad++? Or are you sticking with native Notepad? What about a different alternative? Let me know in the comments section!

Follow Windows Central on Google News to keep our latest news, insights, and features at the top of your feeds!