Overview
- Project maintainer Don Ho disclosed that update traffic was intercepted at the hosting-provider level, with some users redirected to malicious manifests.
- The campaign began in June 2025 and, by the maintainer’s estimate combining multiple assessments, persisted until December 2, 2025 when access was terminated.
- The hosting provider reported the shared server was directly compromised until September 2, 2025, then misused internal-service credentials enabled selective redirection through December 2.
- Multiple independent researchers assess the actor as likely China-linked, with limited targeting that included telecom and financial organizations in East Asia.
- Notepad++ migrated to a new host and hardened WinGUP: certificate and signature checks arrived in v8.8.9, update XML is now signed, and enforcement is slated for v8.9.2.