Notepad++ suffered a serious security breach linked to state-sponsored hackers, likely from China. The attack began in June 2025 and compromised the infrastructure of its shared hosting provider, allowing malicious actors to redirect update traffic intended for the Notepad++ website. This manipulation persisted until December 2, 2025. The attackers specifically targeted the Notepad++ domain, exploiting weaknesses in the update verification process of older software versions. The former hosting provider confirmed that the server had been compromised until September 2, 2025, when maintenance updated the kernel and firmware, cutting off unauthorized access. However, the attackers retained access to internal service credentials until December, which facilitated continued redirection of update requests. The provider found no evidence that other clients were affected, indicating a focused attack on Notepad++. Remediation efforts included rotating credentials and enhancing security measures, concluding by December. In response to the breach, Notepad++ migrated to a new hosting provider with better security protocols. The updater, WinGup, was also improved in version 8.8.9 to enhance verification of downloaded installers. Users are encouraged to download version 8.9.1 to ensure they have the latest security updates. Despite extensive analysis of server logs, the investigation did not yield specific Indicators of Compromise (IoCs), though further details were later shared by security firms.