Oof. Kudos to Notepad++ for being up front with the details.
this post was submitted on 02 Feb 2026
503 points (99.2% liked)
Technology
81162 readers
5174 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
China, Russia, the US, fucking Israel. They all piss me off so fucking much. Can't we live in a sane world just for a single fucking day?
load more comments
(15 replies)
Yikes... i guess i am confused though. What data was being sent through this channel? What did they get from people while it happened and why did it take 2 months past them stopping it to finally make a release? I love the app, but this sounds really bad.
From my understanding: Basically the attackers could reply to your version check request (usually done automatically) and tell N++ that there were a new version available. If you then approved the update dialogue, N++ would download and execute the binary from the update link that the server sent you. But this didn't necessarily need to be a real update, it could have been any binary since neither the answer to the update check nor the download link were verified by N++
Thats what i was thinking, but there is no mention on if this did happen and if it did what was compromised or allowed to happen.
How would n++ devs know?
Expanding on this: the exploit was against their domain name, redirecting selected update requests away from the notepad++ servers. The software itself didn't validate that the domain actually points to notepad++ servers, and the notepad++ update servers would not see any information that would tell them what was happening.
Likely they picked some specific developers with a known public IP, and only used this to inject those specific people with malware.
So the solution would have been an SSL certificate check on the client side.
Can't tell if that would have helped
which could have allowed the malicious actors to redirect some of the traffic going to https://notepad-plus-plus.org/getDownloadUrl.php to their own servers
They could have just piped the binaries though the same server since they had this level of access. They would have had months to figure it out.
Oof, I thought it was just a DNS hijack. If they had access to the server, it's game over regardless.
It's not game over regardless if the updater checks a signature of the update installer. Then it wouldn't run an installer by someone else.
That's true, assuming they didn't also put their private keys on the server
As the hoster wrote this:
we immediately transferred all clients’ web hosting subscriptions from this server
It looks like the binaries and the update check script were put on a simple web space. If that is the correct conclusion to draw from this excerpt, then it'd be rather strange to have the keys on that server as it's very unlikely that it was used to produce any builds.
That's what they say they rolled out, after: "Within Notepad++ itself, WinGup (the updater) was enhanced in v8.8.9 to verify both the certificate and the signature of the downloaded installer"
The previous release already fixed this, or evaded the issue.
The channel was the update mechanism. Upon Notepad++ checking for updates, they were able to inject their own. So if you updated via the apps own update checker they could have misdirected you into installing something else or something modified.
load more comments
(1 replies)
And work bosses saw a news story on this and banned the app outright :( can anyone suggest a replacement that is not paid and has features useful for searching lots of large logs files quickly for keywords?
Kate
+1 for Kate. I think its ment to be an acronym for KDE Advanced text editor but its a linux program that feels very close to notepad++ and will handle large files with gusto
VSCodium.
Rename the shortcut to notepad++2?
Emacs
He’s asking for a text editor, not to join a cult. /s
load more comments
(13 replies)
So what malware got shipped?
If I recall correctly this is the second time this has happened to N++. Fool me once… can’t get fooled again.
Three times++, actually. The second attack was documented to have resumed after the third, with different payload URLs.
load more comments
(1 replies)
I've kind of stopped following things up since I left windows, but maybe you're remembering when this actually happened a while ago? This is just some in-progress post-mortem report.
I would like to know starting from wich version should i be concerned. I haven't updated in a while i think.
The timeline says the attack started in June of 2025 and continued through Dec 2, 2025. If you installed, updated, or silently updated during that period you may have been targeted / compromised.
load more comments
(13 replies)
Every version before the previous one.
If you haven't updated you were not vulnerable to the update hijacking.
So that’s what the second plus includes….
This is why I don't update things that don't need updates. Untill I switched to Linux I had been using the same version for like a decade.
Also I'd imagine the American government is doing the exact same shit. Or rather Israel is doing it in behalf of the American government
view more: next ›