Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ericgeater
Community Champion
Monday
Monday

Notepad++ hosting provider compromised

The "TLDR", copied and pasted:

 

According to the former hosting provider, the shared hosting server was compromised until September 2, 2025. Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers. The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++. All remediation and security hardening were completed by the provider by December 2, 2025, successfully blocking further attacker activity.

 

Notepad++ Hijacked by State-Sponsored Hackers | Notepad++

-----------
A claim is as good as its veracity.
linkedin[.]com/in/geater
Reply
2 Replies
Aykar
Newcomer II
Monday
Monday

@ericgeater  First of all, thank you for sharing this update.

It’s a stark reminder of why we must constantly deepen our security knowledge. It is becoming increasingly common to see major companies, applications, and services we rely on daily being compromised.

This is a clear example of how Supply Chain attacks can leave us vulnerable; when the tools we trust are turned against us, the ripple effect can even compromise lives in critical sectors. It reinforces the fact that security isn't just a layer, but the foundation of everything we build.

 

This incident proves that security doesn't end with the code. It is a failure in Security Operations and Identity and Access Management . The attackers didn't break the encryption; they simply used the keys that the provider forgot to rotate after the initial compromise. It is the perfect example of why Zero Trust is necessary: never assume an update is safe just because it comes from the correct domain.

Reply
ericgeater
Community Champion
Tuesday
Tuesday

Thank you, @Aykar.  The fallout seems to keep coming from this breach, it seems.  Rapid7 did an IOC review on its blog, if you'd like to see a deeper dive.

 

Gonna sheepishly admit I am glad to have dragged my feet on my Notepad++ upgrade -- this time.  

-----------
A claim is as good as its veracity.
linkedin[.]com/in/geater
Reply