2026-02-02
Following the security disclosure published in the v8.8.9 announcement
https://notepad-plus-plus.org/news/v889-released/
the investigation has continued in collaboration with external experts and with the full involvement of my (now former) shared hosting provider.
According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org. The exact technical mechanism remains under investigation, though the compromise occured at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests.
The incident began from June 2025. Multiple independaent security researchers have assessed that the threat acotor is likely a Chinese state-sponsored group, which would explain the highly selective targeting obseved during the campaign.
An incident-response (IR) plan was proposed by the security expert, and I facilitated direct communication between the hosting provider and the IR team. After the IR team engaged with the provider and reviewed the situation, I received the following detailed statement from the provider:
