This is a most excellent place for technology news and articles.
This is why I don't update things that don't need updates. Untill I switched to Linux I had been using the same version for like a decade.
Also I'd imagine the American government is doing the exact same shit. Or rather Israel is doing it in behalf of the American government
If I recall correctly this is the second time this has happened to N++. Fool me once… can’t get fooled again.
Three times++, actually. The second attack was documented to have resumed after the third, with different payload URLs.
I've kind of stopped following things up since I left windows, but maybe you're remembering when this actually happened a while ago? This is just some in-progress post-mortem report.
And work bosses saw a news story on this and banned the app outright :( can anyone suggest a replacement that is not paid and has features useful for searching lots of large logs files quickly for keywords?
Notepad++ installed from any package manager was perfectly fine and safe.
I know.
I'm only using Sublime Text and the Notepad that is included with Windows. Not sure exactly what you're looking for.
NotepadQQ 😆
Rename the shortcut to notepad++2?
Kate
+1 for Kate. I think its ment to be an acronym for KDE Advanced text editor but its a linux program that feels very close to notepad++ and will handle large files with gusto
VSCodium.
Sublime 3
Awesome choice but one crucial detail is that commercial use requires a license.
Emacs
He’s asking for a text editor, not to join a cult. /s
I guess Geany could work?
I downloaded that one today. It will work for now but it's missing a couple of n++ features I use.
Zed! Fastest GUI editor out there other than Sublime Text.
Ive always had notepad++ crash on large files or xml's with no newlines. I use sublime in those cases :)
That said, as a developer, notepad++ is a very often used tool haha
I regularly open CSVs in the range of 500MB to 2GB in notepad++ without any problem.....
China, Russia, the US, fucking Israel. They all piss me off so fucking much. Can't we live in a sane world just for a single fucking day?
Oof. Kudos to Notepad++ for being up front with the details.
Yikes... i guess i am confused though. What data was being sent through this channel? What did they get from people while it happened and why did it take 2 months past them stopping it to finally make a release? I love the app, but this sounds really bad.
The software itself, and the devs, have little to nothing to do with this besides detecting the issue. Which was not obvious, since (it seems) the attack was targeted at specific IPs/hosts/places. It likely worked transparently without alteration for most users, probably including the devs themselves.
It also would only affects updates through the built-in updater; if you disabled that, and/or installed through some package managers, you would not have been affected.
A disturbing situation indeed. I assume some update regarding having adequately digitally signed updates were done (at least, I hope… I don't really use N++ anymore). But the reality is, some central infrastructure are vulnerable to people with a lot of resources, and actually plugging those holes requires a bit of involvement from the users, depending how far one would go. Even if everything's signed, you have to either know the signatory's public key beforehand or get a certificate that you trust. And that trust is derived from an authority you trust (either automatically through common CA lists, or because you manually added it to your system). And these authorities themselves can become a weak point when a state actor butts in, meaning the only good solution is double checking those certificates with the actual source, and actually blocking everything when they change, which is somewhat tedious… and so on and so on.
Of course, some people do that; when security matters a LOT. But for most people, basic measures should be enough… usually.
From my understanding: Basically the attackers could reply to your version check request (usually done automatically) and tell N++ that there were a new version available. If you then approved the update dialogue, N++ would download and execute the binary from the update link that the server sent you. But this didn't necessarily need to be a real update, it could have been any binary since neither the answer to the update check nor the download link were verified by N++
The previous release already fixed this, or evaded the issue.
The channel was the update mechanism. Upon Notepad++ checking for updates, they were able to inject their own. So if you updated via the apps own update checker they could have misdirected you into installing something else or something modified.
I would like to know starting from wich version should i be concerned. I haven't updated in a while i think.
The timeline says the attack started in June of 2025 and continued through Dec 2, 2025. If you installed, updated, or silently updated during that period you may have been targeted / compromised.
How would you know if you updated?
My notepad++ is on 8.9.1 and I have no idea how it's on that ver (ninite I think is where I sourced it....maybe it's auto updating?)
Odds are you weren't on the "targeted list".
If you don't know, you're probably auto updating.
If you updated or installed in 2025 after June-ish, the safe thing to do is uninstall, then download from the new (theoretically more secure) website and install the new (theoretically more secure) 8.9.1.
If you were pwned by an update during later 2025, they could disguise just about anything in your Notepad++ and its associated files - make it look perfectly normal, make it act perfectly normal, but have their own malware on your system doing... whatever it is they want it to do.
I understand one of the things they were doing is running a proxy to carry traffic through your system, so if you see a lot of unexpected network activity (under Windoze how can you tell?) you may have been compromised. But that's not the only thing they could have done, nobody has really analyzed the attack yet and even after they do, you might have gotten a "special" payload that the analysis team didn't see...
