Don Ho, maintainer of open-source text and code editing program Notepad++, announced on February 2, 2026, that a state-sponsored threat actor had compromised the software’s update supply chain for almost six months. “The exact technical mechanism remains under investigation, though the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself.” Investigation by the hosting provider suggests that the threat actor began hijacking update traffic in targeted attacks in June 2025, and the third-party shared hosting server remained compromised until a kernel and firmware update on September 2. Attacks continued until November 10, as the attackers still held credentials to internal services until December 2. Ho first disclosed updater traffic being redirected to malicious servers on December 9, adding that in Notepad++ v8.8.9, the application and updater “have been hardened to verify the signature & certificate of downloaded installers during the update process.” Notepad++ facilitated communication between the hosting provider and an incident response (IR) team to implement an IR plan proposed by a consulting cybersecurity expert. Ho recommends manually downloading and installing v.8.9.1, also noting that “the Notepad++ website has been migrated to a new hosting provider with significantly stronger security practices. Within Notepad++ itself, WinGup (the updater) was enhanced in v8.8.9 to verify both the certificate and the signature of the downloaded installer. Additionally, the XML returned by the update server is now signed (XMLDSig), and the certificate & signature verification will be enforced starting with upcoming v8.9.2.”