• Welcome to Support Forum: Get Support for Patch My PC Products and Services.
 

Notepad++ Sources During Compromised Hosting Time Period

Started by Jared, February 02, 2026, 08:08:01 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Jared

February 02, 2026, 08:08:01 AM
Hi,

As I'm sure you all know, Notepad++ hosting was compromised during a period of time from June 2025 until November / December 2025.  From what I understand, it was the traffic to the hosting provider that was compromised.

Was PatchMyPC pulling Notepad++ from the same mechanism, or was Notepad++ pulled in a different way?  It sounds like there were no signatures to verify during that time, so I'm guessing there was nothing extra that could have been added to ensure validity.

I realize the issue was resolved and patched months ago, but my question is, are versions of Notepad++ deployed via PatchMyPC during the period the hosting provider was vulnerable, known to be safe/valid, or are those previous versions potentially compromised?  Our inventories are still showing small numbers of older versions out there from before the fix.

Michiel (Patch My PC)

#1
February 02, 2026, 09:36:48 AM
Hi @Jared,

Notepad++ confirmed that its update infrastructure was compromised in a targeted supply‑chain attack between June 2025 and December 2025. Investigators, including external security experts and the former hosting provider, determined that the breach occurred at the hosting provider level, not through any vulnerability in Notepad++ itself. Attackers were able to intercept and redirect update traffic intended for notepad-plus-plus.org.

Only certain targeted users were affected. Their update requests were silently redirected to attacker‑controlled servers serving malicious update manifests, meaning users could have unknowingly installed tampered binaries if they updated Notepad++ during the affected period.
Timeline highlights:

  • June 2025 – Attack began with infrastructure‑level compromise.
  • Nov 10, 2025 – Security experts believe the attack activity ceased.
  • Dec 2, 2025 – Hosting provider confirms attacker access ended after credential rotations and hardening.

Users who updated Notepad++ between June and December 2025 are advised to ensure they are now running version 8.8.9 or later, which includes improved integrity checks to prevent similar attacks.

To summarize: it was the update servers that were compromised, and the attack is no longer active. Compromised versions were only ever delivered via the application's auto-updater to certain targeted users, and not via Patch My PC. The latest version has been hardened to prevent it reoccurring.

For more information about this, please visit:

Notepad++ Hijacked by State-Sponsored Hackers
Print
Go Up Pages1
User actions