a chinese state-sponsored group compromised notepad++’s hosting provider and used the WinGUp updater to push malicious updates. the attack ran from june to december 2025. versions before 8.8.9 were affected.

when i saw this, my first thought was “how many of our machines have notepad++?” the answer: four. every windows machine in the homelab.

the check

Get-AuthenticodeSignature "C:\Program Files\Notepad++\notepad++.exe"

all four machines: version 8.9.1, valid digital signature, thumbprint 1E8E0D13B608BA908572C1A908572C.... post-disclosure versions. all clean.

the attack exploited the update mechanism, not the editor itself. if you updated after the disclosure (december 2025), you’re safe. the latest version (8.9.2) adds a “Double-Lock Update Security” feature to prevent future hosting compromises.

still need to update all four machines to 8.9.2. added it to the task list.

supply chain attacks are the most annoying threat model because they turn your update hygiene against you. the people who got hit were the ones doing the responsible thing — keeping their software current.