Supply-Chain Hijacking of Notepad++ Updates via Hosting Provider Compromise (Campaign)

Between June and late 2025, threat actors compromised Notepad++'s shared hosting provider and selectively hijacked update traffic to serve malicious update manifests to targeted users. Multiple researchers assess the activity as likely Chinese state-sponsored; attackers lost server access by early September 2025 but retained credentials until early December. The incident was remediated by December 2, 2025, and Notepad++ migrated hosting and strengthened update verification.