If you use Notepad++ on your PC - especially on a work machine - this is one of those updates you should not postpone.

Notepad++ is a free, open source text editor for Windows that is widely used for both basic text work and software / IT tasks. People rely on it for features like tabs, syntax highlighting, search and replace across files, and editing configuration files or logs, among other things. Its footprint in technical environments makes it a high value target for attackers who want a quiet foothold.

Why You need to Update Notepad++

If you use the standard installer version of Notepad++, you likely also have its built in updater (WinGUp). Older versions had a critical weakness: the updater could be tricked into downloading and executing an attacker controlled installer if update traffic was redirected or intercepted. That is the core risk - but arbitrary code execution via the update path.

Notepad++ patched this vulnerability by hardening the updater and update flow starting with version 8.8.9, including verification of the downloaded installer (signature and certificate checks) and aborting the update if verification fails.

What Got Hacked in Notepad++

Based on the public incident reports, the key issue was the update infrastructure / delivery path. In other words, this looked like an update channel hijack: targeted users were redirected away from legitimate Notepad++ update infrastructure to attacker controlled servers serving trojanized installers.

That distinction matters because it explains why some people were unaffected even if they used Notepad++ during the same time period: the operation was described as selective and targeted, not a broad "everyone gets the bad build" event.

When and How did the Notepad++ Hijack Happen?

Public reporting and the developer incident update describe a window starting around June 2025 and ending by December 2, 2025, with attacker access to parts of the shared website hosting environment.

According to the developer summary, the attackers retained control of the compromised hosting server until September 2, 2025. After that date, they lost direct server access (for example due to provider side remediation), but the incident did not fully end.

Even without direct server access, attackers still had credentials to internal services that let them continue redirecting Notepad++ update traffic to attacker controlled servers until December 2, 2025, when those remaining access paths were removed.

How the Notepad++ Hack Works

If you are wondering how a normal update check can turn into a security incident, it helps to understand the exact chain of events.

Here's how it works:

• First, Notepad++ (via WinGUp) checks for updates by contacting an update endpoint that returns update metadata, including a download URL.
   
• Attackers gained the ability to manipulate that update path for selected victims - for example by controlling a hosting component involved in the update script or by retaining credentials that let them redirect traffic.
   
• The victim was then pointed to a malicious download that looks like a normal Notepad++ update. In older versions, the updater did not cryptographically verify update metadata and installers in a way that blocks this kind of redirection attack.
   
• The result is that the updater downloads an attacker controlled installer and executes it under the users privileges. This is why supply chain attacks are so effective: users are trained to trust update prompts.

Auto Update vs Portable Notepad++ Zip File

Notepad++ behaves differently depending on how you installed it.

With the installer build, the auto-updater checks every 15 days for an updated and prompts the user for an update. It is at this point where users are possibly hit with an infection - but only if they were prompted and chose to download the update. Only version 8.8.9 (and newer) is considered "safe", so make sure to check what version you're running.

As for the portable zip distribution of Notepad++, it is updated manually by downloading a new zip from the Notepad++ website. Reporting explicitly notes that targeted victims were redirected when using the built-in updater - which is not present in the portable version. If you only ever updated by manually downloading from the official Notepad++ website, you are likely not affected - but to be safe, make you you grab the latest version.

What Happens if you Downloaded the Hacked Version of Notepad++?

If you were one of the targeted victims and you updated through the in-app updater during the hijack window, a trojanized installer may have executed on your system, which can install a backdoor or remote access capability. Reuters and other reports describe the incident as an espionage style operation and note that it was selective. (Source: reuters.com)

Not every user who updated is assumed compromised, as public reporting repeatedly emphasizes targeting. But if you are in a higher risk category (enterprise environment, government, critical infrastructure, etc), treat this as serious until proven otherwise.

What to Do Now

1. Update Notepad++ to version 8.8.9 or later using a fresh installer downloaded directly from the official Notepad++ site.
   
   https://notepad-plus-plus.org/downloads/v8.9/
    
2. If you used the updater during June 2025 - December 2, 2025, assume you have potential exposure. Identify whether you used the built in updater vs a manual download, which triggers the infection. You can find out what version you have by loading the program and choosing Help -> About.
    
3. If you are somewhat technically inclined, you can look for suspicious updater artifacts and activity in the C:\Windows\Temp folder, as this will give clues as to whether or not you were hit. (Source: theverge.com)
    
4. Scan your system for malware. Run a full scan using Windows Defender and review your startup items, scheduled tasks, and services. Download Autoruns and use it to review these areas - it makes the process much easier. If you are not sure what you are looking at, contact Dennis for assistance.

A Word of Caution Regarding Malicious Remote Access

Please be aware that remote access compromises are not always obvious and automated scans usually won't pick up that you have remote access installed. Many remote access tools are legitimate, so antivirus / antimalware typically don't flag it as malicious - especially if attackers configured them to run quietly and blend in.

In a remote access Trojan case I dealt with last week, the victim ended up with four separate remote access sessions installed after opening a malicious email attachment. The attackers operated through hidden sessions that did not show up in any obvious way, so the compromise went unnoticed.

From there, they quietly enumerated and searched her Excel and Word documents using automated tooling, without opening files in a way that would tip anyone off. After collecting what they wanted, they called her pretending to be Fidelity support, pushed the "unauthorized transfers" story to get her to log in, then made her screen appear to crash while they tried to move funds out of the account. She powered the machine off immediately and called me - and that is when I confirmed what had happened and where they were hiding.

About the author: Dennis Faas is the CEO and owner of Infopackets.com. Since 2001, Dennis has dedicated his entire professional career helping others with technology-related issues with his unique style of writing in the form of questions-and-answers; click here to read all 2,000+ of Dennis' articles online this site. In 2014, Dennis shifted his focus to cyber crime mitigation, including technical support fraud and in 2019, online blackmail. Dennis has received many accolades during his tenure: click here to view Dennis' credentials online DennisFaas.com; click here to see Dennis' Bachelor's Degree in Computer Science (1999); click here to read an article written about Dennis by Alan Gardyne of Associate Programs (2003). And finally, click here to view a recommendation for Dennis' services from the University of Florida (dated 2006).