Notepad++ Updates Compromised with Spyware (1 Viewer)

[isladogs]

Like me, many of you will probably be long time users of the very popular and free Notepad++ text editor.
In case you aren’t already aware, the hosting server used to deliver updates was compromised from June to Dec 2025 resulting in malicious spyware being installed on users’ computers. The issues have now been fixed, but all Notepad++ users should check and take appropriate action.

I’ve written a short article outlining the issues and action needed at Notepad++ Updates Compromised.
However, if you are a Notepad++ user, I strongly urge you to read the source article Notepad++ Supply Chain Attack Full Story for full details

Thanks to Peter Bryant who alerted all members of the UK Access User Group about the issues in the source article earlier today.

 

[RonPaii]

For years I have been going to Ninite.com to get tools like Notepad++
It gets the source from the original provider to install and update.

 

[isladogs]

In this case, I don't believe that would have helped as the update process was intercepted at the host.
Have you read the article?

 

[RonPaii]

In this case, I don't believe that would have helped as the update process was intercepted at the host.
Have you read the article?

Ninite does not use Notepad++'s update system, so the XML exploit is not triggered.

 

[isladogs]

Yes I understand that.
I may be wrong but my impression from reading the article was that any updates from the Notepad++ website itself were also intercepted as the hosting provider had been compromised
Personally I wouldn’t take the risk, no matter how you obtained any updates from June to Dec 2025.

 

[TuurCarlsen]

Thank you very much for this info !
I've read the article and I just upgraded to version v8.9.1 from notepad-plus-plus.org

 

[RonPaii]

I posted the following question to CoPilot.

Does Ninite.com suffer from the security issues of Notepad++ updates

This is the response

Ninite.com is not affected by the Notepad++ update‑hijacking incident, because the attack targeted Notepad++’s own update infrastructure—not third‑party distributors like Ninite. Ninite downloads installers directly from the official vendor each time you run it, which avoids the compromised auto‑update channel that Notepad++ used.

Why Ninite Was Not Impacted​

1.​

Multiple reports confirm that Chinese state‑sponsored attackers hijacked the Notepad++ update infrastructure by compromising the hosting provider. This allowed them to redirect in‑app update checks to malicious servers. The vulnerability was in the update delivery path, not in the Notepad++ binaries themselves.

2.​

Ninite never relies on an application's built‑in updater. Instead, it:

• Fetches the latest official installer directly from the vendor’s website at runtime
• Verifies signatures where available
• Installs silently without touching the app’s internal update system

Because the Notepad++ compromise only affected in‑app update traffic, Ninite’s method bypasses the compromised channel entirely.

3.​

The hijacking redirected only certain users—primarily in telecom and finance sectors—based on targeted update‑request interception. It was not a broad compromise of all Notepad++ downloads.

4.​

Newer versions (8.8.9 and later) include:

• Stronger certificate and signature checks
• A move to a more secure hosting provider
• Removal of the self‑signed certificate used previously

These changes further reduce any downstream risk.

Bottom Line​

Ninite was not exposed to the Notepad++ update hijack, because the attack only affected the auto‑update mechanism inside Notepad++, not the official installers that Ninite downloads directly.

 

[isladogs]

@RonPaii
I hope CoPilot is correct in its assertion.
However, the original article on which it is probably basing its comments, does not make that distinction.

 

[RonPaii]

@RonPaii
I hope CoPilot is correct in its assertion.
However, the original article on which it is probably basing its comments, does not make that distinction.

I agree, AI info can be suspect. But over the years, I have never seen anything that would negate what Copilot reported. In the last 5 months I replaced or update 30 computers using Ninite to install Notepad++. None of those computers show any sign of the corruption.

 

[AccessBlaster]

None of those computers show any sign of the corruption.

Maybe because we weren't the target?

The hijacking redirected only certain users—primarily in telecom and finance sectors—based on targeted update‑request interception. It was not a broad compromise of all Notepad++ downloads.

 

[isladogs]

I agree with both of the previous responses. The original article made it clear that the hackers were targeting certain machines / sectors - but that doesn't necessarily mean the attack was limited to those sectors.

I had last updated Notepad++ to v8.8.2 in June using the built-in updater - It appears that was after the attack began.
I could find no evidence that my system had been compromised - not even the existence of the self signed certificate or AutoUpdater.exe file

However, I still played it safe by uninstalling and reinstalling the latest secure version as advised by the Notepad++ developer.
If others choose to ignore the official advice from the developer, that's their decision.

 

[Cotswold]

Doesn't the current Windows11 NotePad feed data back to MS?
It appeared to say that in an update sometime last year, or the year before I think it was. Just about the same time that Notepad++ needed to be online. Since then I have used GEANY for a text editor.
Who can you trust? I have a Chromebook that I only use for looking at news sites once a day.

 

[AccessBlaster]

One was hijacked, the other was implied consent.

 

[The_Doc_Man]

This is one of the big "gotcha" cases with Win11. It wants to improve your on-screen experience so it wants to send (they call it) personalization data. There are ways to turn this off in Settings >> Personalization. You might have to browse around in that area. Try the following search string: removing personalization from windows 11
A lot of articles will come up. The issue in question is that MSFT is building a "dossier" on how you use your computer. This involves transmitting feedback to the gang in Redford, Oregon or wherever else they have the hub for this blatant spying. If you go down the implied "rabbit hole" to turn that feedback-oriented stuff off, you will be busy for as much as a full day.