Impact?
Hi, I read the linked post on the Notepad++ site, but am can't find any references to what the implications are. Should we be looking for other malware installation? Port manipulation? etc. Anybody have more specific info?
Notepad++ update service hijacked in targeted state-linked attack
A state-sponsored cyber criminal compromised Notepad++'s update service in 2025, according to the project's author. The admission comes after version 8.8.9 of the text editor was released on December 9. The "hardened" version verified the signature and certificate of downloaded installers during the update process. On December …
-
-
This post has been deleted by its author
-
Monday 2nd February 2026 15:51 GMT Always Right Mostly
Good adivce but unclear what to do with it
"In the meantime, it would be prudent to check and remove the previously installed Notepad++ root certificate, and manually download and install the latest release."
Ok, and how-to if it applies? I use only the portable version whicj shows it's GlobalSign ceritificate.
-
Monday 2nd February 2026 16:30 GMT Anonymous Coward
6 months to notice and then another 2 months to notify their install base is shocking in 2025/6.
Also looks like they were hosted on a shared VPS.
Add these in:
https://github.com/notepad-plus-plus/notepad-plus-plus/issues/4071
https://github.com/notepad-plus-plus/notepad-plus-plus/issues/16806
Sorry chaps - appreciate all your hard work with this, but you're just not fit for purpose in 2026. We live in dangerous times, and you're still stuck in the 1990s.
We've wiped it on all our managed computers after this news and blocked the binary from being able to be run. Anyone who continues using this for anything beyond hobby projects on a personal PC needs their bumps feeling.
-
Monday 2nd February 2026 17:01 GMT VoiceOfTruth
>> Sorry chaps - appreciate all your hard work with this
Notepad++ is open source?
You sound like another one of those after-the-event snipers who aimed at Log4j. You used it free of charge. You contribute nothing. And then after the event you make complaints. Instead of complaining perhaps you should have done some due diligence, seen how this project is hosted, and offered a few £$€ to get better hosting. But no.
-
-
Tuesday 3rd February 2026 00:55 GMT O'Reg Inalsin
What are the alternatives, and are they safer?
Presumably your companies employees were using it as a productivity tool - to make profit for your company. They were not using it to make profit for Notepad++.
You probably have the wherewithal to download the Notepad++ source from Github and compile the source yourself, and require your companies employees to use that compiled version only. Here are the build instructions - https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/BUILD.md.
I have heard that Google in-house uses a lot of open software, but they always inspect and maintain their own source version (while updating from the original), and therefore compile it in house, whitelisting only those versions. I haven't heard a lot of stories about Google being hacked internally - that may be why.
What editors do you whitelist, and are none of those "Free"? Sublime is popular, but free. MS VSCode is popular and free, but with VSCode perhaps you have no control over what extensions are installed? And some of the VSCode extensions in their "Marketplace" have been to known to have been malware.
-
-
-
Tuesday 3rd February 2026 22:15 GMT Eric 9001
Re: What are the alternatives, and are they safer?
There is no "might", VSCode is proprietary; https://code.visualstudio.com/license
How is something free if you pay with your freedom and your privacy up front and later with money?
It's not intended to be gratis - the intention is that you will end up paying with money too eventually.
-
-
-
Tuesday 3rd February 2026 07:24 GMT Bebu sa Ware
Re: What are the alternatives, and are they safer?
This popped up on one of the news sites: https://itsfoss.com/notepad-next/
Open source and cross platform win/mac/*nix but according to the gitea repository still a bit rough around the edges.
Personally I never strayed from the Vi faith even using MKS Vi on msdos 3.x so notepad and clones are a bit academic for me.
Never really got my head around emacs and early on you could really run it single user mode on a unix box but you could usually get enough of a sick system up to run vi (basically a writeable /tmp eg bsd mfs.)
-
-
-
Tuesday 3rd February 2026 07:35 GMT Bebu sa Ware
" admins, I also refer to as cunts."
I'll take that as a compliment. CoFH ? :)
I would say all the potential defenêstrées with whom I dealt, if parachuted into the role would, apart from making an even bigger hash of it, also be massively more objectional — a real ornament to their c
ountry.
-
-
Monday 2nd February 2026 18:02 GMT Always Right Mostly
China written all over it
The IP addresses in https://github.com/notepad-plus-plus/notepad-plus-plus/issues/16806 are as follows per ICANN
Handle: 1.3.0.0 - 1.3.255.255
Status:
active
Address Range: 1.3.0.0 - 1.3.255.255
IP version: v4
Name: CHINANET-GD
Type: ALLOCATED PORTABLE
Country Code: CN
So, is Notepad++ ACTUALLY a security hell vortex and if so for how long?
My work life and a good bit of peronal using a PC life will have it's suckage factor explode if I had to give it up.
-
Tuesday 3rd February 2026 06:14 GMT Anonymous Coward
Re: China written all over it
My apologies I am being forced to downvote you for the incorrect information you have presented here as proof that China is involved.
Note: I am not saying that China is not involved, just that this proof is incorrect.
There are no IP addresses listed in https://github.com/notepad-plus-plus/notepad-plus-plus/issues/16806
It is possible you have confused the X.509 OID values relating to the Cert Usage as IP addresses.
From the URL:
Key Usage is currently:
Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)
Code Signing (1.3.6.1.5.5.7.3.3)
Secure Email (1.3.6.1.5.5.7.3.4)
Time Stamping (1.3.6.1.5.5.7.3.8)
-
-
-
-
Monday 2nd February 2026 19:52 GMT doublelayer
Since that whitelisting would have blocked the unrecognized updaters if you did it correctly, maybe it wasn't the tool you use they were criticizing but how you've chosen to configure it.
It's worth considering, for instance, that this wasn't something new in Notepad++ or something done to their servers. As far as we know, this vulnerability could only be exploited by a MITM attack that replaced the URL of the update binary which was then downloaded and executed. Your installation system, unless you messed up, wouldn't be vulnerable to that. But if you interpret this the way you have, then you can come to unrealistic ideas of how bad the problem was, how much it's the fault of the Notepad++ maintainers, and have a drastic conclusion. If people rely on this software and many do, then your drastic conclusion from an incorrect premise will cause problems for their work until they find a suitable replacement. Maybe you have arguments against that, but if you continue to assume that criticism was of the tool you used which it was not, you won't be making them.
-
Monday 2nd February 2026 20:01 GMT Anonymous Coward
I simply have zero confidence in the developers.
Would I use it on a home PC? Sure.
Am I ever going to allow it on one of our business PCs again? Not a chance.
You do you.
"the Notepad++ updater didn’t check if the update package was valid in any way - it just executed it. Also the update process used TLS.. but didn’t validate the session, so it could be hijacked to change the download". /shrug.
-
-
Tuesday 3rd February 2026 10:14 GMT Anonymous Coward
Notepad++ failures (but yeah - definitely the end users fault!):
Infrastructure & Hosting
Hosted on shared hosting server rather than dedicated/hardened infrastructure
Single point of failure - compromising one server gave access to entire update distribution
No network segmentation between web hosting and update delivery systems
Attacker maintained access for 6 months (June - December 2, 2025) before detection
Even after kernel/firmware update severed direct access (September 2), attackers retained credentials to internal services for another 3 months
Update Mechanism (WinGUp)
No cryptographic verification of downloaded binaries prior to v8.8.9
Updater blindly trusted whatever the server returned
No certificate pinning on update server connections
No checksum/hash verification of downloaded installers
Update manifest (XML) fetched over connection that could be intercepted/modified
Downloaded and executed arbitrary binaries based solely on server response
v8.8.7 added GlobalSign certificate but still didn't verify the downloaded installer
v8.8.8 restricted downloads to GitHub but still didn't verify the binary's signature
Three attempts (8.8.7, 8.8.8, 8.8.9) to fix the issue incrementally rather than implementing proper verification from the start
Code Signing
Previously used self-signed certificates rather than proper CA-issued certificates
Self-signed root certificate had to be manually trusted by users - trained users to accept unsigned/self-signed software
Certificate verification only enforced starting v8.8.9
No binary transparency or reproducible builds to verify authenticity
Detection & Response
No anomaly detection on update server traffic patterns
No monitoring for selective targeting/redirection of specific users
Compromise discovered by external security researchers, not internal monitoring
6 month dwell time indicates zero visibility into attack
Relied on hosting provider's incident response rather than own security team
Communication & Disclosure
Initial disclosure downplayed the issue ("not aware of any confirmed exploitation")
Took until February 2026 to release full details
Users running vulnerable versions during compromise window had no way to know they should audit their systems
No proactive outreach to enterprise users who might be targeted
Architecture Decisions
Update check happens automatically by default - increases attack surface
No option for enterprise customers to use internal update mirrors
No GPO/MDM controls for managing updates in enterprise environments
Single update channel with no redundancy or verification alternatives
PHP script on shared hosting as critical update infrastructure
Post-Compromise Guidance
Limited IOCs provided to users for self-assessment
No tooling provided to verify if a system was compromised
Relied on third-party security vendors (Rapid7, Orca) to publish detailed detection guidance
No official YARA rules, Sigma rules, or detection queries released by Notepad++ tea
-
-
Tuesday 3rd February 2026 10:34 GMT SCP
So Notepad++ had a security SNAFU which puts them in a very large group of FOSS and corporate software providers.
Taking 6 months to identify and resolve the attack is not nice, but by the looks of things this was quite a well resourced attack against a limited resources provider. It is also not unique for vulnerabilities and exploits to go undetected for quite a long time - the trade press is repeatedly covering them. And, this is not just a FOSS problem - it affects corporate software as well. In some ways the corporate software can be more problematic if the corporation spends more time and effort denying and obfuscating the problem because it will have an adverse impact on profits (reduced sales, having to pay the engineering staff to fix the problem and pay customer services to field more support calls)
This is a supply chain attack and the underlying problem is quite challenging. The solution is not going to be to axe small players for any lapse in a complex and adversarial field of IT (I am pretty sure you will not be axing Microsoft after the next security SNAFU - it will simply be another Patch Tuesday).
This Helldesk AC sounds like the sort of complete tosser (because of their unnecessary pile-in on Notepad++) that makes me glad I am out of the corporate hell where IT Support is all about sucking up to the Executives with personal service while the masses get a shoddy service; particularly if they happen to be in Engineering and are trying to use their computer as a tool to do engineering rather than simply generate Powerpoint presentations. No consideration of why Notepad++ was on the whitelist, or what the impact of removing it will be (beyond the it makes it somebody else's problem, not ours). Yes - there might have been a need to have an immediate response- but if you have already been hit, taking out Notepad++ now would still seem to leave you with an infection problem to sort out, and you still have a problem with everything else that is on your whitelist - so this is no solution. But something must be done, and this is something.
FFS - February has got off to a depressing start. The only good news (for me) is that I had auto-update deactivated so I am running old versions of Notepad++ and avoided the troublesome period. I guess I can look forward to seeing all the improvements to Notepad++ when I install the new 'secure' version. Keep up the good work guys and ignore the loud-mouthed tossers.
-
Tuesday 3rd February 2026 11:45 GMT tip pc
I simply have zero confidence in the developers.
whats your views on Microsoft & their software including windows OS and Office productivity apps that are known to have issues & vulnerabilities that are constantly exposed?
the notepad++ issue appears to be targeted at certain territories redirecting downloads to a malicious rebuild. That means most people got the correct intended version whilst some got the compromised version.
Unless your in those territories or targeted then its likely versions you & your organisation downloaded where all ok.
How do you guard against other software that could be compromised that know one knows has been compromised?
-
-
-
Monday 2nd February 2026 20:45 GMT Anonymous Coward
What I think is that the IT departments at a lot of companies go extremely overboard in the name of security. They disable simple functionality, or block access to stuff that employees would be able to use to make their jobs easier. I see it with the idiots at my company, now just to open our solution in Visual Studio, we have to go through a damn two factor authentication. Just getting signed in for the day to work requires at least 3 times going through that garbage.
All they do is make up new threats to justify getting their paychecks. Lock down systems, make things harder for the devs. The only phishing emails I've ever seen at work are the fake ones they send out to try to force people through more training.
-
Tuesday 3rd February 2026 01:56 GMT steviebuk
Well then your systems are doing their job if you're not seeing real phishing e-mails. And I guarantee are seeing some. You'll most likely work with other companies, like we do. Its their mailboxes that get compromised so then the phishing e-mails get through because its from a trusted mailbox.
-
-
-
Monday 2nd February 2026 19:18 GMT trrd
So you got rid of all Microsoft products, right?
Because ultimately it's Microsoft who caused this by deciding to have an ecosystem where securely distributing your software costs $300 per year, which was really the root cause of this.
Then again, some people always prefer to blame the penniless victim while giving a lot of money to the already rich people at fault...
-
Monday 2nd February 2026 22:45 GMT Sandtitz
"Because ultimately it's Microsoft who caused this by deciding to have an ecosystem where securely distributing your software costs $300 per year, which was really the root cause of this."
Notepad++ is available through Windows Package Manager - Winget.
AFAIK, publishing software on Microsoft Store is free these days as they waived the $19 fee last year. The installation package is then signed and hosted by Micros~1. You can use either the store, or winget to install these packages. Notepad++ is not in the store.
If you don't want to use MS Store, you can also publish the software only on Windows Package Manager. If you don't sign it or just self-sign it, then the end users get warning messages during installs and updates. Signing with a proper cert of course carries a cost.
-
-
-
-
-
Tuesday 3rd February 2026 12:49 GMT David Hicklin
Re: When will there be..
> And, being able to ignore complete threads
Or when a thread goes seriously off topic into a flame war, the ability just to collapse that entire threat would be nice. The about of time I spend scrolling down to find where it all goes back on topic.....
Oh...now we have gone OT !!
-
Tuesday 3rd February 2026 15:17 GMT Roland6
Re: When will there be..
>” the ability just to collapse that entire threat would be nice. ”
That’s so 1980s BBS.. why would you want or even need the functionality that basic off-line readers like Ameol had in the early 1990s?
Perhaps AI agents such as Copilot will detect I’m not reading or dismissing loads of stuff and simply shut it off… might be the way to get Windows free of ads etc.
-
-
-
-
-
Tuesday 3rd February 2026 07:46 GMT bazza
Short Version
So is this the deal:
If you’ve not been using the auto update but have been fetching the installer direct from the notepad++ website, you’ve been getting the proper software and no hidden nasties?
If you have been using the auto update, you’ve may already be screwed? But that would have required the attacker to be able to fiddle with your ISP connection somehow, and is unlikely to have happened?
Is that about it?
One outstanding point. What about if you’ve downloaded and installed a plug in?
-
Tuesday 3rd February 2026 08:57 GMT Anonymous Coward
Re: Short Version
The attacker fiddled with the auto-update service, so didn't need anything to do with your ISP connection. Otherwise you've summed it up matching my understanding.
One caveat though - it appears that they were targeting specific organisations, so for the majority of users the auto-update service worked exactly as intended.
[Note that I'm not saying that any of that makes it OK. Deliberately bypassing signatures is poor practice]
-
-
Tuesday 3rd February 2026 11:31 GMT tip pc
yet another good reason to not update if your version predates the attack
updates are good for new features or bug fixes but if it ain't broke, why update?
if you have a version that predates the problem then why update?
The new update protections do seem worthwhile but then you will get them when you eventually update.
defo worth updating if your current version is within that compromised timespan, prob not worth installing an older version as you have to be extremely sure your getting a none compromised version & the older installer won't tell you.
i had a look at the notepad++ download site and there where adverts looking like the download button that where not the legitimate download further down the page.
The download page should not have any adverts on it to avoid confusion etc.
-
-
Tuesday 3rd February 2026 17:00 GMT Anonymous Coward
Re: I might be missing something here, but
"why did this take so long to disclose after the breach was identified?"
The report says it began in June, but unless I'm misreading it, it does not say that it was discovered then. And as the attack was specifically targetted, most users were still getting the correct update file, without any tampering.
So it wouldn't surprise me if it took a while to uncover.
The more interesting question is what else is doing this that haven't been uncovered or disclosed yet?
-
-
Tuesday 3rd February 2026 14:09 GMT Neurons for Kryton
... a late comment on NP++
After reading the various comments either praising or despising Notepad++ after the MITM event, here's a few thoughts. Firstly Notepad++ is no doubt the Swiss army knife of the text editor world, it basically does everything you'll every need of a text editor, in that vein it's a very nice application as have many of the millions of users worldwide have found. However as mentioned in other comments, it's never wise to mix politics with pleasure, in this case the author should not have been poking a big stick at the tiger unless he knew how deal with that tiger. It was rather naive to think there wouldn't be a response!
Anyway here lies the rub. The software written by an author may well be all secure etc. however it's the 3rd parties managing the software (distribution etc..) that are invisible are potentially the real danger to malware attacks. Who is to say whether the new hosting provider service he's with now won't suffer a similar issue. We've been given no information to who it is or where they are and are presumed to take his word that they are ok and trustworthy, maybe NOT !
The best step forward here would be to self compile the code or even to write your own in house editor code, there's a few excellent OS IDE development environments out there (my personal favourite being the Lazarus IDE) where writing a feature subset of text editor like this is relatively straight forward.
As a last note (or maybe 2 notes), firstly I just installed the latest release of NP++ are noticed that the auto-updater feature is automatically enabled on the NP++ startup - WTF !!! - hasn't he (or others) learnt their lesson from this debacle. Secondly, people have very short memories, Linux Mint had a scenario a few years ago where their repository was hacked and resulted with the system having to be reinstalled - wasn't too pleased with them either then.
-
Wednesday 4th February 2026 11:44 GMT Elongated Muskrat
Re: ... a late comment on NP++
If the author controls the signing keys, and changes to the auto-updater require the update to be signed, with the private key, then the hosting provider can't just slip in an (unsigned) replacement.
It seems this was down to a weakness in the supply chain, where signatures were not being checked by the updater (this is my understanding, correct me if I'm wrong). Unless someone manages to get hold of the author's private key to sign a bogus executable, they can no longer implement a MITM attack.
-
Biting the hand that feeds IT
