How did this attack happen?

This hacking took place between June 2025 and December 2025. Attackers caught hold of a flaw in Notepad++’s legacy updating tool (WinGUp) and exploited it.

The biggest thing is that instead of harassing everyone, he targeted only some specific people. Whenever these people tried to update the software, they were redirected to a fake and dangerous server instead of the real website, from where virus files were downloaded to their computers.

All this happened because the server on which the update files were kept was hacked. In the middle of the month of September, when the server was updated, the hackers were out for once, but they still had the old passwords and keys, with the help of which they were able to enter the system again.

Steps taken for security

The team of Notepad++ has assured that this threat has now been completely eliminated and the system is now more secure than ever. To strengthen security, the company has shifted its entire system to a new and secure server. Also, in the new version (v8.8.9) released in December, all the old shortcomings have been fixed and now every file is secured with the company’s digital seal. In the upcoming updates, security checks will be made even more stringent, so that the software cannot be updated without correct identification.

Important advice for users

Security expert Kevin Beaumont has warned that espionage activities have been observed in the systems of some organizations after the attack. Therefore, for security reasons, it is extremely important that you immediately update Notepad++ to its latest version. If you’re a developer, as a precaution, immediately change your SSH, FTP, and database passwords, and check your website admin accounts to remove unnecessary users. Also, always keep auto-update of software and plugins turned on for future security. Although this attack happened only on selected people, it is still wise to do a thorough check of your system.