Following the security disclosure published in the v8.8.9 announcement https://notepad-plus-plus.org/news/v889-released/
the investigation has continued in collaboration with external experts and with the full involvement of my (now former) shared hosting provider.
According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org. The exact technical mechanism remains under investigation, though the compromise occured at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests.
TL;DR
According to the former hosting provider, the shared hosting server was compromised until September 2, 2025. Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers. The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++. All remediation and security hardening were completed by the provider by December 2, 2025, successfully blocking further attacker activity.
This isn’t the first time I’ve heard of malicious actors targeting Notepad++. Is there some reason why it seems to be a desirable target, or is it just that the maintainers are more open about...
This isn’t the first time I’ve heard of malicious actors targeting Notepad++. Is there some reason why it seems to be a desirable target, or is it just that the maintainers are more open about such things compared to other IDEs?
Wow, for once, me being too lazy to update actually paid off. Updated to the newest version manually now. Thank you for posting this, I would never have seen it otherwise and I use notepad++ for...
Wow, for once, me being too lazy to update actually paid off.
Updated to the newest version manually now. Thank you for posting this, I would never have seen it otherwise and I use notepad++ for work everyday.
I don’t use Notepad++, but it makes me wonder about all the other update mechanisms out there.
This isn’t the first time I’ve heard of malicious actors targeting Notepad++. Is there some reason why it seems to be a desirable target, or is it just that the maintainers are more open about such things compared to other IDEs?
Wow, for once, me being too lazy to update actually paid off.
Updated to the newest version manually now. Thank you for posting this, I would never have seen it otherwise and I use notepad++ for work everyday.
That's scary. Fortunately, I'm probably not among the "targeted users."