Security

autoupdater and XMLDSig

scottgshin — Tue, 21 Apr 2026 23:14:40 GMT

I have checked out the https://github.com/donho/xmlSigner project and it is what I needed. I have used that project to correctly pass the XML signing test. I have opened some issues with that project. Here is a quick summary of how the update process works. The wingup code first queries a website to determine if an update is required and the returned XML provides information to be used later. None of the information in the XML is used if it doesn’t pass the XML security check. After passing the security check the code looks for the update status and download location, assuming an update is required. After prompting the user to download the update and finishing the download, it checks the code signing of the installer. Assuming that the code signing is valid and the correct certificate, it starts the install. I will try to document all the customizations to the code from Notepad++, wingup and xmlSigner to make it work in my project so that future users have a place to start, but that will be after I am sure its all working correctly with the new security updates. Thank you @xomx for pointing me in the right direction.

Libcurl in update is version 8.15.0, which is flagged with CVE-2025-14819 / CVE-2025-14017, but the GUP uses version 8.19.0?

donho — Wed, 15 Apr 2026 09:23:22 GMT

@xomx Thank you for pinging! https://github.com/notepad-plus-plus/notepad-plus-plus/commit/2c1abe0784543e78dbba0f259b0948cf3a08b8cb

Harmandeep Singh Kandhari - Enhancing Plugin Security and Preventing Malicious Code Execution

harmansinghdeepkandhari — Tue, 17 Feb 2026 06:54:13 GMT

@Coises Thank you, Coises, for your helpful reply. I truly appreciate your support and guidance. Regards, Harmandeep Singh Kandhari

FAQ: February Security Announcement

PeterJones — Wed, 04 Feb 2026 21:17:29 GMT

Updates with new clarifications from this comment: Target Information Kaspersky only saw evidence of victims IP addresses in Vietnam, El Salvador, Australia and the Philippines, and noted, “We observed three different infection chains overall, designed to attack about a dozen machines…”. Thus, it wasn’t just “targeted” – out of all the update attempts that would have happened during the June to December timeframe, it appears there were only a dozen victims: everyone else got a normal, unaffected update, with no malicious payload. Obvious Side-effect: Notepad++ Not Actually Updated after “Update” When the attackers redirected victims, the victims got “updaters” which did nothing to notepad++.exe. If every time that automatic updates ran, you saw Notepad++ actually updated, you were not one of the victims. In case the user runs Notepad++ updater, if the version remains exactly the same after the attempted update, the user can check %LOCALAPPDATA%\Notepad++\log\securityError.log to see what happened & report it.

I am very confused about the Notepad++ security issue

PeterJones — Wed, 04 Feb 2026 20:16:11 GMT

See the FAQ, which has the best summary I can make, as of 2026-Feb-04; if new information is available, the FAQ will be updated. ALL followups/discussions must go in Topic: autoupdater and connection to temp.sh. This tangent is LOCKED.

Were the binaries released on GitHub affected in the Notepad++ state-sponsored hacking incident?

PeterJones — Wed, 04 Feb 2026 07:57:46 GMT

Chinese compromise began as early as NP++ v8.6.9

PeterJones — Tue, 03 Feb 2026 13:08:38 GMT

Future readers: if you want more information for the context of this discussion, See the FAQ, which has the best summary I can make, as of 2026-Feb-04; if new information is available, the FAQ will be updated. ALL followups/discussions must go in Topic: autoupdater and connection to temp.sh. This tangent is LOCKED.

notepad-plus-plus.org should be added to the HSTS preload list

PeterJones — Mon, 02 Feb 2026 23:19:45 GMT

@Ilhan-Yumer , The developer does not read most posts in this Forum. If you would like to suggest such a move to the developer, I would recommend creating a new Issue at GitHub requesting it (https://github.com/notepad-plus-plus/notepad-plus-plus/issues).

Advices to prevent further security vulnerabilities

Nppenjoyr — Mon, 02 Feb 2026 19:30:41 GMT

BTW: 5.1-if your home internet speed is fast enough, setup your own web server to your pc under virtualbox(in case of web server software cve’s/rce’s). I or anyone can help with that. Dont forget to hardening server for security. IMO, this is BAD advice. To suggest to a non-security specialist who runs this as a hobby, that he should self-host, and try to keep up on all the security hardening, is asking him to get hacked even worse than the hack that already happened. He was literally paying a host to provide such services, and the professionals failed; he has now changed providers to a host who has better security procedures. Believe me it’s not that hard to setup a webserver or harden it, especially while backed by a strong community. The risks are different when hosting at home between hosting remotely. The hosting firm may be offered money to hijack, or an out-of-date hosting management software had rce was waiting to be abused.

Help needed - Forensic extractor result analyzing

donho — Tue, 30 Dec 2025 04:04:51 GMT

@xomx said in Help needed - Forensic extractor result analyzing: @donho What is that for (is it for specific HW, OS or network analysis)? Ubuntu on a VPS Fullname of the forensic SW “Forensic Extractor” ballpoint.fr It’s rather to analyze the results to make sure if anything is OK. Note the VPS is only for the wingup.org, whereas notepad-plus-plus.org is on a sharing hosting service. Thank you for the ref I will check this company.

autoupdater and connection temp.sh

Lycan Thrope — Thu, 23 Oct 2025 18:53:02 GMT

@donho , Thanks for the verifcation, and sorry for the late reponse, I came down really sick that night for about a 5 day period after posting this, and am just getting back into the swing of things. Just wanted to make sure we didn’t need to be redundant about that process. Thanks again for the clarification.

libcurl < 8.14.1 CVE-2025-5399

xomx — Tue, 07 Oct 2025 05:05:17 GMT

@Pulp-Sendo Already fixed for the upcoming N++ v8.8.6.

Notepad++ DLL Hijacking Vulnerability (CVE-2025-56383)

donho — Wed, 01 Oct 2025 18:36:49 GMT

https://notepad-plus-plus.org/news/v886-released/

notepad++ flagged as malicious, should i worry?

Zhane Hernandez — Wed, 27 Aug 2025 03:41:08 GMT

@xomx Thanks for your input, the analysis does seem to be a bit on the… overly cautious or paranoid side. maybe it’s time to find a new resource for risk analysis!

Certificate install location

PeterJones — Wed, 23 Jul 2025 14:45:39 GMT

UPDATE: With the release of v8.8.7, Notepad++ is once again signed by a GlobalSign-issued certificate, as well as the Notepad++ self-signed certificate. The above instructions are still appropriate for confirming the self-signed certificate, but with the GlobalSign-issued certificate, the procedure is not as critical.

File empty after opening it as Adminitrator

PeterJones — Fri, 18 Jul 2025 10:29:22 GMT

@podlipom51-podlipom51 said in File empty after opening it as Adminitrator: I was unable to save file. Suggested to open as Administrator after accepting my file is empty. It is very important file for me what to do? Where were you trying to save the file? To somewhere in c:\program files\ or c:\windows or similarly protected area? Or were you trying to save to a normal writeable directory on your machine’s local drive? Or a mounted network drive? Because it only suggests Administrator if it gets a “permission denied” error when you try to write the file. after accepting my file is empty. It is very important file for me what to do? Bummer. Unfortunately, if you already restarted Notepad++, and it didn’t have the Settings > Preferences > Backup set to take “session snapshots and periodic backups”, your unsaved changes were never written to disk anywhere. As soon as Notepad++ exited, those bits were removed from active memory, and were lost. Since the files were likely never written to disk, I doubt that an external file-recovery utility like Recuva would work for you, but you might try directing such at the `c:\users\AppData\Roaming\Notepad++\backup See our FAQ on backups for more details about how the Notepad++ backup settings work, how the AutoSave plugin can help improve things, and best-practice suggestions for avoiding data loss in the future. Also, I think one of the frequent contributors is actively working on a solution to have Notepad++ be able to get UAC permission for a file-save without needing to restart the application – such a feature would definitely help in your case. Unfortunately, I’ve spent the last few minutes trying to find the Issue or PR where that was being discussed, and haven’t found it yet.

Digital certificate for open source projects

PeterJones — Thu, 17 Jul 2025 12:19:02 GMT

UPDATE: With the release of v8.8.7, Notepad++ is once again signed by a GlobalSign-issued certificate, as well as the Notepad++ self-signed certificate.

Mc afee détecte également un virus sur la version 8.8.2 64 bits.

PeterJones — Thu, 03 Jul 2025 12:14:07 GMT

@Joël-PLANCHAT , False Positive caused because there is no certificate: KNOWN ISSUE: https://community.notepad-plus-plus.org/topic/26978/known-issue-the-digital-certificate-is-not-available-in-version-8-8-2 – UPDATE: With the release of v8.8.7, Notepad++ is once again signed by a GlobalSign-issued certificate, as well as the Notepad++ self-signed certificate.

KNOWN ISSUE: The digital certificate is not available in version 8.8.2.

PeterJones — Tue, 01 Jul 2025 12:03:40 GMT

UPDATE: With the release of v8.8.7, Notepad++ is once again signed by a GlobalSign-issued certificate, as well as the Notepad++ self-signed certificate.

Security of Legacy Notepad++ Versions (CVE-2025-49144)

xomx — Tue, 01 Jul 2025 06:09:53 GMT

@Bhaalthazar said in Security of Legacy Notepad++ Versions (CVE-2025-49144): patching older vulnerable versions It could be fun, now without the public CA cert available…

Notepad v8.8.2 32-bit installer: virus or malware detected

PeterJones — Mon, 30 Jun 2025 19:54:37 GMT

@Tavi , As far as I can tell, they were unrelated. Scanners such as VirusTotal look at the executable itself, and last year were being triggered by the lack of signing and the self-signing of the executable. please confirm if this issue is related to the notepad++ hijack news dated 2nd Feb 2026? The issue you are referring to, as linked here and described in detail here specifically said, the compromise occured at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. This was a website hack, and VirusTotal and other such AV scans do not detect website hacks, as far as I understand them. See the FAQ, which has the best “table of contents” for the website hack. ALL related followups/discussions must go in Topic: autoupdater and connection to temp.sh.

Lock file

donho — Thu, 05 Jun 2025 20:23:38 GMT

Here’s my reply: https://github.com/notepad-plus-plus/notepad-plus-plus/issues/16638#issuecomment-2947240947

Fighting Malicious Ads on Download Pages

PeterJones — Sun, 01 Jun 2025 11:27:21 GMT

@MarcCMcC said in Fighting Malicious Ads on Download Pages: There are definitely still giant, green “Download” button ads: Posting screenshots here isn’t helpful, at this point. And it is better if you just email the malicious links directly to don.h@free.fr , as has been said repeatedly in this discussion. – I am locking this thread, as there isn’t anything new to say about this topic – If you came here to report a malicious/dangerous download link (and NOTE: not all ads with “download” are malicious or dangerous), then e-mail the URLs for malicious or dangerous advertising links on that page directly to don.h@free.fr

Limit the list of plugins employees can install.

dinkumoil — Tue, 01 Oct 2024 06:34:40 GMT

@Emmanuel-Meekers AFAIK there is no technical means to limit the number of plugins a user is able to install. You can only remove the capability to install plugins at all. You could do a survey which plugins your employees need. There can be different needs, e.g. technical staff likely needs other plugins than employees that ar more involved in administrative tasks. Then you can install these plugins on the employee’s machines. After that you need to rename or delete \updater\GUP.exe to prevent users from installing any other plugins. As long as your employees don’t have admin access to Notepad++'s install directory, they are not able to revert these changes. The disadvantage is that your users neither will be able to update Notepad++ itself nor the installed plugins. This is something your ICT department has to do.

Does NP++ Mini-Portable cache or save files on host system when run from USB stick

Nommy — Fri, 13 Sep 2024 10:39:33 GMT

@Alan-Kilborn So where should this be discussed then? I would greatly appreciate if anyone did know of some little FOOS tool/script like I mentioned, more reliable than what I’ve hacked together, to help me secure my friends cyber security. Can people here DM me suggestions? If there was a discord this could be spun off into a thread. I’m not sure if it matters to anyone but the suggestions and discussion so far have been really helpful and spot on solving the problem which I’m still using NPP for BTW (such as displaying instructions as we just discussed). For some perspective, the person I’m trying to help recently lost 7kg in just over a week due to stress and worry from being targeted and harassed by some hacker/scammer that’s been messing with then, trying to take accounts etc for a while now. I agree it’s not on strictly topic and I don’t expect to discuss this here, it’s just without at least giving a way to continue the discussion elsewhere, given the fact that it’s still directly addressing the goal I initially stated, and the potential consequences to people, it seems kinda callous to just stomp on it like we’re posting cat memes. So how and where should this be continued, or is that irrelevant?