Notepad++ developer addresses security concerns following state-sponsored cyber attack

Don Ho, the main maintainer of the widely used text editor Notepad++, has publicly addressed a security breach affecting the software’s update mechanism, first disclosed in December 2025. In a recent blog post, Ho confirmed that the compromise, centered on the internal update component known as WinGUp, has been resolved through a migration to a more secure hosting provider and the implementation of enhanced cryptographic safeguards. The incident, which potentially exposed user data between June and December 2025, was triggered by a vulnerability allowing attackers to intercept and redirect update traffic, potentially forcing users to download malicious binaries instead of legitimate updates.

Independent security analyses indicate the breach was likely orchestrated by a Chinese state-sponsored group, explaining the highly targeted nature of the campaign. Ho shared correspondence from the former hosting provider, which confirmed suspicious activity on the update server’s PHP endpoint (getDownloadUrl.php) and noted that while the underlying vulnerability was patched on September 2, 2025, attackers retained access until December 2, when Notepad++ services were fully migrated. Ho apologized to affected users and emphasized that such an incident will not recur, citing the strengthened verification protocols now in place: since version 8.8.9, WinGUp validates both the certificate and digital signature of downloaded installers. The next release, version 8.9.2, due in approximately one month, will enforce mandatory XML signature (XMLDSig) verification for update metadata, building on security improvements already introduced in version 8.9.1, released January 26, 2026.

This is not the first time Ho has faced geopolitical controversy. In 2019, he drew ire from Chinese nationalists after naming Notepad++ version 7.8.1 “Free Uyghur” and version 7.8.9 , a move that sparked coordinated spam attacks on his GitHub repository. At the time, Ho acknowledged the risks of intertwining politics with software, noting that commercial entities typically avoid such stances. Yet, his commitment to both technical integrity and personal principles remains evident in his handling of this latest incident, balancing transparency, accountability, and proactive security enhancements without compromising user trust.

The breach underscores the growing sophistication of supply-chain attacks targeting open-source software and highlights the critical need for robust update verification mechanisms. Ho’s response, prompt, technical, and transparent, sets a benchmark for maintainers of widely deployed tools. As Notepad++ continues to serve millions globally, its resilience against future threats now rests on reinforced infrastructure and cryptographic controls, ensuring that updates remain both secure and trustworthy.