Skip to main content

mastodon - Link to source

Notepad++'s update servers have been compromised by Chinese hackers and all users had been exposed to malware. The developer estimated the overall compromise period spanned from June through December 2, 2025.
Users should update to version 8.9.1 (or superior) immediately.

Source: notepad-plus-plus.org/news/hij…

#security #vulnerability #windows #text #editor #notepad #foss #freesoftware #software

Official logo of the text editor Notepad++.

Notepad++ Hijacked by State-Sponsored Hackers | Notepad++

notepad-plus-plus.org
#security #software #freesoftware #foss #Windows #vulnerability #text #editor #notepad
in reply to Lorenzo Ancora

Jortexed 👖
mastodon - Link to source
Jortexed 👖
#NotepadPP users might also seriously want to consider the option of switching to some other #TextEditor / #IDE they can trust such as #IntelliJ, #Neovim, #Eclipse or #VSCodium
(edit: added image)
Screenshot of Stack Overflow's 2025 Developer Survey, showing a list of the most used IDEs. Visual Studio Code: 75.9% Visual Studio: 29% Notepad++: 27.4% IntelliJ IDEA: 27.1% Vim: 24.3% Cursor: 27.9% PyCharm: 15% Android Studio: 15% Jupyter Nb/JupyterLab: 14.1% Neovim: 14% Nano: 12.2% Sublime Text: 10.5% Xcode: 10% Claude Code: 9.7% WebStorm: 7.6% Zed: 7.3% Rider: 7.1% Eclipse: 7.1% VSCodium: 6.2% PhpStorm: 5.8% Windsurf: 4.9% RustRover: 3.2% Lovable.dev: 2.4% Bolt: 2.3% Cline and/or Roo: 2.2% Aider: 1.9% Trae: 0.8%
#neovim #notepadpp #texteditor #ide #intellij #eclipse #vscodium
This entry was edited (1 week ago)
in reply to Jortexed 👖

Lorenzo Ancora
mastodon - Link to source
Lorenzo Ancora

@vrtxd 👉🏾 "[...] the attack involved infrastructure-level compromise [...] at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. [...] Multiple independaent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group".

So, the incident says nothing about the developer's reliability! 😉

@Jortexed 👖
in reply to Lorenzo Ancora

Jortexed 👖
mastodon - Link to source
Jortexed 👖

"The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++."

Yes. It was a solo developer and a hosting provider against superpower-sponsored attackers, it seems. They did their best choosing a reliable hosting provider and making the software secure, and users might still lose trust. I don't blame anyone, I'm just stating options for migration.

in reply to Lorenzo Ancora

John Rockefeller
mastodon - Link to source
John Rockefeller
As much as I loved Notepad++, as soon as one leaves windows it no longer is relevant. Kate, VSCodium, and others all fill the void that was lacking in the windows world.
in reply to John Rockefeller

Lorenzo Ancora
mastodon - Link to source
Lorenzo Ancora
@rocky1138 it depends on if the user can and wants to change OS. A single security issue on a replaceable application isn't a sufficient incentive. 😅
@John Rockefeller
in reply to Lorenzo Ancora

Otter Side
mastodon - Link to source
Otter Side
As far as I understood, it only affected users who used the integrated upgrade function. If you only ever downloaded a new version directly from the site, there was no issue, nor did it affect anyone else except certain targeted groups. So saying all users were exposed is a slight exaggeration, though obviously anyone should still update it.
in reply to Otter Side

Lorenzo Ancora
mastodon - Link to source
Lorenzo Ancora
@OtterSide hi, unfortunately, Windows users can also use 3rd party software updaters and download sites, in which case they might've been affected too. In doubt, if you've downloaded or updated Notepad++ in 2025, you should upgrade ASAP. 🙂 👋
@Otter Side
in reply to Otter Side

tessarakt
mastodon - Link to source
tessarakt
@OtterSide Hmm, shouldn't it be the other way round? The integrated updater could easily verify signatures that cannot be compromised by getting access to the distribution server ...
@Otter Side
in reply to tessarakt

Lorenzo Ancora
mastodon - Link to source
Lorenzo Ancora

@tessarakt the developer noted (09/12/2025):

> "Starting with this release, Notepad++ & WinGUp have been hardened to verify the signature & certificate of downloaded installers during the update process. If verification fails, the update will be aborted".

So, verification wasn't enforced.

@OtterSide

@tessarakt @Otter Side
in reply to Lorenzo Ancora

Micdan
mastodon - Link to source
Micdan
It's unfortunate... NPP is such a masterpiece of software. Back when I was a Windows 10 user, NPP ran very fast, it's wasn't from Microslop and has a decent UI and usability experience. As someone pointed out, now as a long-time Linux user I almost forgot the existence of this piece of software.
in reply to Lorenzo Ancora

TrimTab 🇺🇦
mastodon - Link to source
TrimTab 🇺🇦

Notepad++ is utterly irrelevant. Sorry to be blunt but windows software distribution is hopelessly broken.

Linux software repos are also broken but there is much hope and variety of options. ;-)

in reply to TrimTab 🇺🇦

Lorenzo Ancora
mastodon - Link to source
Lorenzo Ancora
@TrimTab most Windows developers use this editor in place of the standard Notepad. It has a very large userbase and frequent updates, so I wouldn't describe it as irrelevant.
@TrimTab 🇺🇦
in reply to TrimTab 🇺🇦

Lorenzo Ancora
mastodon - Link to source
Lorenzo Ancora
@TrimTab modern Linux repositories use digital signatures (like OpenPGP), so they are indeed safer to use.
I use both Debian and Fedora, and I can testimony the superior quality of the updates offered, in terms of timing and reliability. Indeed, trying new software is much easier this way! 🙂
@TrimTab 🇺🇦