Text only | Text with Images

Support Forum: Get Support for Patch My PC Products and Services

Commercial Products: Support for Our Enterprise Product for Microsoft ConfigMgr and Intune => Commercial/Paid Products: Support and General Questions (ConfigMgr and Intune) => Topic started by: Jared on February 02, 2026, 08:08:01 AM

Title: Notepad++ Sources During Compromised Hosting Time Period
Post by: Jared on February 02, 2026, 08:08:01 AM
Hi,

As I'm sure you all know, Notepad++ hosting was compromised during a period of time from June 2025 until November / December 2025.  From what I understand, it was the traffic to the hosting provider that was compromised.

Was PatchMyPC pulling Notepad++ from the same mechanism, or was Notepad++ pulled in a different way?  It sounds like there were no signatures to verify during that time, so I'm guessing there was nothing extra that could have been added to ensure validity.

I realize the issue was resolved and patched months ago, but my question is, are versions of Notepad++ deployed via PatchMyPC during the period the hosting provider was vulnerable, known to be safe/valid, or are those previous versions potentially compromised?  Our inventories are still showing small numbers of older versions out there from before the fix.
Title: Re: Notepad++ Sources During Compromised Hosting Time Period
Post by: Michiel (Patch My PC) on February 02, 2026, 09:36:48 AM
Hi @Jared,

Notepad++ confirmed that its update infrastructure was compromised in a targeted supply‑chain attack between June 2025 and December 2025. Investigators, including external security experts and the former hosting provider, determined that the breach occurred at the hosting provider level, not through any vulnerability in Notepad++ itself. Attackers were able to intercept and redirect update traffic intended for notepad-plus-plus.org.

Only certain targeted users were affected. Their update requests were silently redirected to attacker‑controlled servers serving malicious update manifests, meaning users could have unknowingly installed tampered binaries if they updated Notepad++ during the affected period.
Timeline highlights:


Users who updated Notepad++ between June and December 2025 are advised to ensure they are now running version 8.8.9 or later, which includes improved integrity checks to prevent similar attacks.

To summarize: it was the update servers that were compromised, and the attack is no longer active. Compromised versions were only ever delivered via the application's auto-updater to certain targeted users, and not via Patch My PC. The latest version has been hardened to prevent it reoccurring.

For more information about this, please visit:

Notepad++ Hijacked by State-Sponsored Hackers (https://notepad-plus-plus.org/news/hijacked-incident-info-update/)
Text only | Text with Images