Following the security disclosure published in the v8.8.9 announcement https://notepad-plus-plus.org/news/v889-released/
the investigation has continued in collaboration with external experts and with the full involvement of my (now former) shared hosting provider.
According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org. The exact technical mechanism remains under investigation, though the compromise occured at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests.
TL;DR
According to the former hosting provider, the shared hosting server was compromised until September 2, 2025. Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers. The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++. All remediation and security hardening were completed by the provider by December 2, 2025, successfully blocking further attacker activity.
This isn’t the first time I’ve heard of malicious actors targeting Notepad++. Is there some reason why it seems to be a desirable target, or is it just that the maintainers are more open about such things compared to other IDEs?
My guess is because Notepad++ hits that prime target zone of being open source, having a significant user base, and being largely maintained by a single developer. It's the little blibbet in that xkcd comic that everyone's sick of seeing all the time by now.
I’d presume n++ is used by someone inside a secure corporation that the state wanted to get into. You poison n++, then get inside that corp and find the real stuff you want. All the while everyone is looking at the n++ vulnerability and missing the database that was just exfiltrated.
[OP] riQQ | 15 hours ago
skybrian | 15 hours ago
I don’t use Notepad++, but it makes me wonder about all the other update mechanisms out there.
Akir | 14 hours ago
This isn’t the first time I’ve heard of malicious actors targeting Notepad++. Is there some reason why it seems to be a desirable target, or is it just that the maintainers are more open about such things compared to other IDEs?
Rudism | 11 hours ago
My guess is because Notepad++ hits that prime target zone of being open source, having a significant user base, and being largely maintained by a single developer. It's the little blibbet in that xkcd comic that everyone's sick of seeing all the time by now.
DFGdanger | 10 hours ago
That's along the lines of what I was thinking too. "Small" project with a lot of users. I used it a decade+ ago but didn't realize it was open source.
May also be in part provoked by Political messaging
Sunbutt23 | 2 hours ago
I’d presume n++ is used by someone inside a secure corporation that the state wanted to get into. You poison n++, then get inside that corp and find the real stuff you want. All the while everyone is looking at the n++ vulnerability and missing the database that was just exfiltrated.
Sheep | 14 hours ago
Wow, for once, me being too lazy to update actually paid off.
Updated to the newest version manually now. Thank you for posting this, I would never have seen it otherwise and I use notepad++ for work everyday.
mantrid | 14 hours ago
That's scary. Fortunately, I'm probably not among the "targeted users."