2026-02-16“the XML returned by the update server is now signed (XMLDSig), and the certificate & signature verification will be enforced starting with upcoming v8.9.2, expected in about one month.“ As promised in the announcement Notepad++ Hijacked by State-Sponsored Hackers, this release strengthens the weakest links in Notepad++ update process.Below is an illustration of how the Notepad++ update mechanism was previously hijacked: With security enhancements introduced in v8. Continue reading at the publisher's website.

Continue reading at the publisher's website.

2026-02-05After the publication of Notepad++ Hijacked by State-Sponsored Hackers, we’ve received many questions from concerned users. Here’s what you need to know:What Was Actually Compromised? Notepad++ itself was NOT hacked. The issue was with the auto-updater component (WinGup), which was exploited through a compromise of our former hosting provider’s infrastructure. The Notepad++ application you’ve been using remains safe and secure.Who Was Targeted? This was a highly selective attack by a state-sponsored group targeting specific high-value organizations. Continue reading at the publisher's website.

2026-02-02Following the security disclosure published in the v8.8.9 announcement https://notepad-plus-plus.org/news/v889-released/ the investigation has continued in collaboration with external experts and with the full involvement of my (now former) shared hosting provider.According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org. The exact technical mechanism remains under investigation, though the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Continue reading at the publisher's website.

Continue reading at the publisher's website.

2026-01-26Several regressions were fixed in release 8.9.1: playback of macros that dulicated EOL, no matches found when pasting from Excel into the Find what field, and a regression in the customized context menu where the separator (id=“0”) escapes FolderName submenu. A long-standing bug was also fixed in this version: a single undo reverted multiple changes after macro execution.In addition to the fixed issues mentioned above, this release includes various bug-fixes & a few additional enhancements. Continue reading at the publisher's website.

Continue reading at the publisher's website.

2025-12-27Though the version number is major, this release itself is not a major update, and it contains regression-fix & enhancements.The self-signed certificate is no longer used as of this release. Only the legitimate certificate issued by GlobalSign is now used to sign Notepad++ release binaries. We strongly recommend that users who previously installed the self-signed root certificate remove it.A log of security errors encountered during Notepad++ updates is now generated automatically. Continue reading at the publisher's website.

Continue reading at the publisher's website.

2025-12-09Some security experts recently reported incidents of traffic hijacking affecting Notepad++. According to the investigation, traffic from WinGUp (the Notepad++ updater) was occasionally redirected to malicious servers, resulting in the download of compromised executables.The review of the reports led to identification of a weakness in the way the updater validates the integrity and authenticity of the downloaded update file. In case an attacker is able to intercept the network traffic between the updater client and the Notepad++ update infrastructure, this weakness can be leveraged by an attacker to prompt the updater to download and executed an unwanted binary (instead of the legitimate Notepad++ update binary). Continue reading at the publisher's website.

Continue reading at the publisher's website.

2025-11-18I have been in contact with some security experts over the past 2 weeks and have identified a potential hijacking issue in WinGUp, the auto-updater developed for and used by Notepad++. This issue has been addressed in the latest release. Users are encouraged to manually download & upgrade Notepad++ using the official installer.One of most wanted features - the MSI installer - is now available. It is intended for enterprise IT deployment only and may require iterative refinement to be fully usfull. Continue reading at the publisher's website.

Continue reading at the publisher's website.

2025-10-20With this release v8.8.7 Notepad++ is now signed by a legitimate certificate issued by GlobalSign. This is a major security milestone, and it should permanently resolve all concerns regarding the authenticity and integrity of Notepad++ releases (which were present since v8.8.2, when the previous certificate expired).It’s been a challenging few months, struggling with administrative hurdles and dealing with certificate authorities to make this happen. Essentially, for an open-source project to obtain a certificate under its name, it must be recognized as a business entity. Continue reading at the publisher's website.

Continue reading at the publisher's website.

2025-10-07CVE-2025-56383 is one of the most absurd entries we’ve ever seen in the National Vulnerability Database.It’s misclassified under CWE-427: Uncontrolled Search Path Element. Yet the provided POC shows no connection to CWE-427.Notepad++ & its plugins are installed by default in the protected “Program Files” directory, requiring administrator privileges to modify. If an attacker already has those rights, they could replace any system file - so targeting a plugin is pointless. Continue reading at the publisher's website.

Continue reading at the publisher's website.

2025-08-14This release, like the previous version v8.8.3, is signed with the self-signed certificate. If your antivirus complains that the 8.8.5 version you downloaded here contains a virus or malware, this is likely a false positive. Please report it to the antivirus company.The release contains several bug fixes & enhancements. You can check the full list of improvements for version 8.8.5 and download it here: Regression and critical bug report here: https://community. Continue reading at the publisher's website.

Continue reading at the publisher's website.

2025-08-12There is a critical regression in release v8.8.4. Please use v8.8.5 instead. Continue reading at the publisher's website.