Supply-Chain Hijacking of Notepad++ Updates via Hosting Provider Compromise (Campaign)

Between June and late 2025, threat actors compromised the shared hosting infrastructure used by Notepad++ and selectively hijacked update traffic destined for notepad-plus-plus.org. The attackers did not exploit vulnerabilities in Notepad++ code itself, but rather abused access at the hosting provider level to intercept and manipulate software updates. This represents a sophisticated supply chain attack targeting a widely-used text editor application through its update mechanism. The campaign demonstrates how attackers can compromise software distribution channels without directly targeting the application vendor's infrastructure.