Absolutely no reason a text editor needs internet access.
I only update stuff through winget, which fetches the installer from github in a lot of cases, and changing a package requires a PR to the winget repo AFAIK. Not foolproof of course though.
Why ? CADT ?
For an open-source alternative, consider checking out - Lulu [0]. It's not as feature rich nor has impressive UI like the former but gets the main work done.
https://www.binisoft.org/wfc.php
It has some areas where improvement is needed, but the fundamentals work and the user interface design is decent.
I am surprised it's not more popular for Windows users. All of the alternatives I've tried have critical issues which made me dismiss them as unserious.
It's the best one I found after trying a few, because it's pretty easy to use, and lets me disable notification popups which is a part that always frustrates me about other options.
Also legitimate software (i.e. firewall/AV) cannot use "oldschool" tricks like system service descriptor table hooks to obtain godlike privileges these days, while malware sometimes can do this by exploiting vulnerabilities, so in such cases it may be an unequal fight.
Anyway, I hope the author can be a bit more specific about what actually has happened to those unlucky enough to have received these malicious updates. And perhaps a tool to e.g. do a checksum of all Notepad++ files, and compare them to the ones of a verified clean install of the user's installed version, would be a start? Though I would assume these malicious updates would be clever enough to rather have dropped and executed additional files, rather than doing something with the Notepad++ binaries themselves.
And I agree with another comment here. With all those spelling mistakes that notification kind of reads like it could have been written by a state-sponsored actor. Not to be (too) paranoid here, but can we be sure that this is the actual author, and that the new version isn't the malicious one?
I complained many times that they were enabling my innate procrastination by proving over and over again that starting the homework early meant you would get screwed. Every time I'd wait until the people in the forum started sounding optimistic before even looking at the problem statement.
I still think I'd like to have a web of trust system where I let my friends try out software updates first before I do, and my relatives let me try them out before they do.
And who do they let try the software before they do? And so on... Where does it ended?
Is this surprising? My model is that keeping with the new versions is generally more dangerous than sticking with an old version, unless that old version has specific known and exploitable vulnerabilities.
Love notepad++ and will continue to use it.
Notepad++ site says The incident began from June 2025.
On their downloads page, 8.8.2 was the first update in June 2025 (the previous update 8.8.1 was released 2025-05-05)
So, if your installed version is 8.8.1 or lower, then you should be safe. Assuming that they're right about when the incident began.
edit: Notepad++ has published, on Github, SHA256 hashes of all the binaries for all download versions, which should let users check if they were targeted, if they still have the downloaded file. 8.8.1 is here, for example - https://github.com/notepad-plus-plus/notepad-plus-plus/relea...
This is true for a large number of software "security" issues
A software version earlier in date/time is not necessarily inferior (or superior) to a version later in date/time
As it is "updated" or rewritten,, software can become worse instead of better, or vice versa, for a vaariety of reasons
Checking software's release date, or enabling/allowing "automatic updates" is not a substitute for reading source code and evaluating software on the merits
Did I understand the attack wrongly? The software could have a 100% correct checksum, because the attack happened in a remote machine that deals with call home events from Notepad++, I guess one of those "Telemetry" add-ons. The attackers did a MITM to Notepad++ traffic.
Updates are a direct connection from the Internet to your computer. You want to minimize that.
Just do a manual update from time to time.
Now I need to worry about this one. I've been anxious about vscode lately: apparently vscode extensions are a dumpster fire of compromises.
When I see politics in software updates or documentation, nothing happens because I'm not looking to use the software for political activism. Maybe I tell my adblocker to remove the messaging, and carry on with my task.
I can engage with politics in a social context, when political messaging isn't interrupting something else I'm doing; that's a better place for activism, IMHO.
I almost always see activists using the argument that if I don't like the messaging then I'm part of the problem. Somehow I doubt that, given I don't mind messaging at all, where it's appropriate.
I distinctly remember their GH page being flooded with issues written in Chinese.
My opinion is that open source documentation is like polite dinner conversation: It’s not the proper place to discuss politics.
If an author wishes to use their open source project as a platform to discuss politics, that’s the author’s prerogative. But then, as perhaps in this instance, it could be to the detriment of the project itself.
I'm going to place the blame on the party committing the crimes, not the person exercising free expression.
I know this is a common turn of phrase, but I can not help thinking that if the political conversation is impolite it is because some in the conversation is being impolite not due to the topic itself.
You can ignore politics, but at certain point, politics cease to ignore you.
It is also annoying that all these three countries think they can bully other countries too. That is basically them saying they can kill other people in other countries at all times no matter the real "reason" (just make up a fake reason, such as Russia with regard to Ukraine) - annoying to no ends.
Having said that, and I just pointed out I disagree with mainland China bullying the Taiwanese, I think it would actually be better to have software itself be completely apolitical. I never understood why people felt a need to tie political goals into software. That is a valid statement even if I happen to agree with the political goals here.
If anything, we need much more politics in software, ideally exercised by those who write that software instead of "apolitical" software writers who end up executing the political software of those who pay them.
If you meant to scope your statement only to FOSS, then this still applies (in fact, FOSS is inherently political), plus I suppose some people who invest their time to write software want to also use the same effort for political activism and there is nothing wrong with that. This can be expressing their political views via that software (e.g., vim and the support to children in Uganda) or can be using a license that only allows co-ops to run their software, or many other ways.
The idea that software even could be apolitical stems from the idea that technology can be neutral, which again, in 2026 is really a tough idea to support.
e.g. iTerm, Cyberduck, editors of all shades, various VSCode extensions, etc.
It really doesn’t compute in my head why would any macOS user not use a network firewall like this, or similar, to block unwanted outgoing HTTP(s) requests. You can easily inspect the packet with tools like Wireshark or Burp Suite Professional (or Community) edition, or any other proxy tool, of which there are many in the macOS ecosystem.
And this is not unique to macOS, this is all possible in Windows, Linux and any other OS.
Having said that, I absolutely despised the implementation that stole keyboard focus; if it popped up when I was typing it frequently disappeared before I head a chance to read it and I had to go into settings to try and find what had changed. Nothing should ever steal keyboard focus unless it's urgent, and then it should website that you can't accidentally manipulate it with a keyboard (see UAC prompt where it opens in the background if the calling program is in the background, and where once you activate it, you have to hold alt+y/n or tab to a button before it accepts the input; just hitting the y/n key alone won't do anything).
I'd be curious to know if there was any pattern as to which users were targeted, but the post doesn't go into any further detail except to say it was likely a Chinese state-sponsored group.
https://www.heise.de/en/news/Notepad-updater-installed-malwa...
https://doublepulsar.com/small-numbers-of-notepad-users-repo...
The TLDR is that until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which was available in the Github source code. The author enabled this by not following best practices.
The "good news" is that the attacks were very targeted and seemed to involve hands on keyboard attacks against folks in Asia.
Blaming the hosting company is kind of shady, as the author should own at least some level of the blame for this.
choco update notepadplusplus winget upgrade Notepad++.Notepad++
Even if this sort of (obviously rare) attack is not a concern, it baffles me how few otherwise-intelligent people fail to see the way these updaters provide the network (which itself is always listening, see Room 641A and friends) with a fingerprint of your specific computer and a way to track its physical location based on the set of software you have installed, all of which want to check for updates every goddamn day.
And there isn't really a way to confirm if it is configured in a secure way.
You either trust the developer or not.
Threat modeling: it keeps things realistic.
I once worked at a company where the Security team were very proud of this and all the other tricks they used to catch leakers by figuring out who was on campus, where, at what time, usually via fingerprinting personal devices carried alongside corporate devices.
This is also why update signatures should be validated against a different server; it would require hackers to control bother servers to go undetected
notepad-plus-plus.org currently has an A record of 95.128.42.184, owned by "Aqua Ray SAS".
It switched up from 191.101.104.10 and 212.1.212.49 on 17/1, which is are Hostinger IP addresses.
No, it should be a hardcoded key held by the developer, preferably using a HSM, and maybe with some sort of notification capability in case the key was lost. Adding a second server adds marginal security. For instance if the developer's mail was hacked, an attacker would likely be able to reset passwords for both hosting providers.
As for whether anything else has been compromised, it depends on whether you were targeted. And the payload might have been tailored to each target, so there's no way to know unless you have access to the exact binary. Unfortunately, binaries downloaded through the auto update feature tend not to linger in your Downloads folder.
"The security exper’s analysis indicates the attack ceased on November 10, 2025, while the hosting provider’s statement shows potential attacker access until December 2, 2025. Based on both assessment, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated."
FTA.
Is it correct to say that users would only get the compromised version if they downloaded from the website?
Notepad++ has auto-update feature, is there any indication that updates from the AutoUpdate were compromised?
> The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.
I get that this is a difficult situation for a small developer, but ending with this line did not fill me with confidence that the problem is actually resolved and make me trust their software on my system.
The odds may be better if you operate the way OpenSSH does: move slow, security first, architect everything to be very difficult to attack. But if you're building a text editor, it's not your mindset, and probably never will be.
I mean, if you look at the Notepad++ website this developer seems just as concerned at spamming political messaging all over everything as much as he is with writing the software he's distributing. It's pretty crazy he apparently didn't think to take more basic precautions given he is basically permatrolling Russia and China with his messaging. Big brain moment for him. And meanwhile, after reading that disclosure nonsense none of us even know what's going on - like, should we be formatting machines that were affecting during that timeframe? Was the attack targeted and specific only? Who the fuck knows!
who signed the binaries was irrelevant for this attack, because the issue was not checking any signature
Something doesn't seem right here.
This time I unfortunately have to move on from Notepad++. Vibes have been negative for a while but out of inertia (and because there weren't obvious alternatives) I never pulled the trigger. Now it's time. The trust is gone.
Thanks NP++ for being free and useful for so many years.
Can anyone suggest a solid alternative on Windows? I'm fine with Linux and macOS but I have to keep a Windows machine around for some legacy, win only, software.
Maybe Sublime Text could be an option? At this point I'd rather pay for something lightweight, fast, and probably better.
I don't like tooling that increases my exposure to bad state actors (whatever state they're from).
> Can anyone suggest a solid alternative on Windows
What a weird reason to switch. I don't know why you'd believe any other piece of software is somehow more secure against state actors.
Winget downloads the installer from GitHub: https://github.com/microsoft/winget-pkgs/blob/master/manifes...
All such portals upgrade their hash/sig noting of binaries, and keep those in a history retaining merkle tree of sorts. Of nothing, else a git repo. Something like this https://github.com/hboutemy/mcmm-yaml/blob/master/aws/sdk/ko... but with SHA256s, and maybe not the entire world on one repo.
First I thought CVE-2012-3587 was incompetence... but then seeing CVE-2012-0954 after it, I couldn't help think something more was at bay as something connected to a nation state. It does not surprise me in the least to see nation state attackers exploiting N++. Because I've also on very sensitive enterprise PAM systems in F500/research/academia, and about 10% of the time it felt like I'd see Notepad++ on internet-connected systems used for security tooling because vanilla notepad is indeed garbage. It does not surprise me at all this has been used as an attack vector.
Which versions where affected and how can people check if they have the infected version?
> 2. Even though the bad actors have lost access to the server from the 2nd of September, 2025, they maintained the credentials of our internal services existing on that server until the 2nd of December, which could have allowed the malicious actors to redirect some of the traffic going to https://notepad-plus-plus.org/getDownloadUrl.php to their own servers and return the updates download URL with compromised updates.
Notepad++ is a great editor. I don't use it on Linux, because I have an older editor I am very used to, but on Windows I like notepad++ a lot (though lately I have been using geany on Windows, mostly for convenience - I think notepad++ is better but I sort of like the github-based development of geany; either way notepad++ is really excellent as well).
They should also be more helpful with not plundering the oceans, even including the territorial waters of far-flung nations, of fish.
The latest and greatest cryptography powering everyone’s favorite SAML-based single-sign on.
I'm pretty surprised that they got away with unsigned updates and shared hosting as long as they did. I wonder how many similar popular projects are out there on dodgy infrastructure.
I expect to know it one day, but it may be too early to provide the name now.
They go on about how their server was compromised, and how the big bad Chinese were definitely behind it, and then claim the "situation has been fully resolved", but there is zero mention of any investigation into what was actually done by the attackers. Why? If I downloaded an installer during the time they were hacked, do I have malware now?
The utter lack of any such information feels bizarre.
XMLDSig is notoriously difficult to implement correctly and securely, I hope this doesn't backfire.
I mean for such a dev focused and extremely performant app, that’s disappointing.
Glad I’m off windows as of late
After a machine is compromised by malware, there's rarely-to-never a trustworthy way to ever fix it with 100% certainty. And especially worrisome is "repair" from the host itself which maybe infected with a rootkit that hides and repairs the malware. Thus, the only correct solution is to completely reimage/reinstall from trusted sources. Deviate from this path at one's own extreme cost/risk.
There also exist a tiny amount of even worse, specialized malware, usually deployed by state actors, that infect hardware in such a way that makes them difficult and sometimes uneconomical to repair.
PSA: Never run untrustworthy shit on any machine that matters. This also includes FOSS projects that don't have their shit together.
It seems to be a lot like the communism - sounds great on paper but we are yet to see a proper implementation.
Between GIT, Linux and SQLite there are a few projects that has been led by weirdos that have time, resources and conviction to drive these through time.
Unless you create some sort of a an auxiliary business and get an acquihire deal most things will fizzle out.
Years ago when I started working for BigCo I was amazed by their denial of FOSS. At one point in the project I pointed out a problem, which was heard and recognized, to which I followed up with a solution using an open source package. I thought I was clever - we needed an extra package in our system, but I was able to find a suitable open source solution that would not add to the overall cost of the project. My proposal was immediately pushed back.
Initially I thought it was due to responsibility issue - if we'd employ a FOSS solution we'd be responsible for the outcome. Having a 3rd party vendor the management would have the opportunity to shell themselves.
But that doesn't have to be the case. The FOSS project could easily fizzle out. And if we don't have enough resources to incorporate it and make it our own, we can potentially risk being left out to dry.
This is acceptable. Why shouldn't most things started by people not willing to put in the work to keep them going not fizzle out? The important thing is that anyone who actually cares to can jump in and pick up right where the open source software fizzled out and get it going again. Anyone can learn from the code and use it for anything they want, even things that have nothing to do with the goals of the original project.
It's not as if there aren't countless examples of corporate vendors dying off and leaving their customers on the hook with nothing, or just changing the product drastically after the sale. At least in the open source case you have the option to fork the project and continue using it as you always have.
I think Linux has the best solution for this - good package managers for bases system and Flatpak with Flathub repo for other apps. So you never get stupid popups, and update managers use signed packages and check those signatures before installation.
I subscribe to MacPaw, who makes excellent apps like Setapp, Gemini, and CleanMyMac, all of which I use.
At some point, CleanMyMac started putting the Ukranian flag on the app icon and flagging utilities by any Russian developer as untrustworthy (because they are russian), and recommended that I uninstall them.
I am not pro russia/anti-ukraine independence by any means, but CleanMyMac is one of those apps that require elevated system permissions. Seeing them engage in software maccarythism makes me very, very hesitant to provide them.
Please refer to it for context.
Fuck'em and just donate ten bucks to notepad++ , I'd rather my pc breaks then reward this crap
Since there are a lot of both Ukrainian and Russian software developers, this is personal for a lot of people in the industry.
What the fuck is that supposed to mean, lol. Ukraine isn’t done secessionist state.
> Seeing them engage in software maccarythism makes me very, very hesitant to provide them.
So are they wrong when flagging software or not? You haven’t provided any details.
