v7.3.3 - Fix CIA Hacking Notepad++ issue

  • Vault 7: CIA Hacking Tools Revealed” has been published by Wikileaks recentely, and Notepad++ is on the list.

    The issue of a hijacked DLL concerns scilexer.dll (needed by Notepad++) on a compromised PC, which is replaced by a modified scilexer.dll built by the CIA. When Notepad++ is launched, the modified scilexer.dll is loaded instead of the original one.
    It doesn’t mean that CIA is interested in your coding skill or in your sex message content, but rather it prevents raising any red flags while the DLL does data collection in the background.

    It’s not a vulnerability/security issue in Notepad++, but for remedying this issue, from this release (v7.3.3) forward, notepad++.exe checks the certificate validation in scilexer.dll before loading it. If the certificate is missing or invalid, then it just won’t be loaded, and Notepad++ will fail to launch.

    Checking the certificate of DLL makes it harder to hack. Note that once users’ PCs are compromised, the hackers can do anything on the PCs. This solution only prevents from Notepad++ loading a CIA homemade DLL. It doesn’t prevent your original notepad++.exe from being replaced by modified notepad++.exe while the CIA is controlling your PC.

    Just like knowing the lock is useless for people who are willing to go into my house, I still shut the door and lock it every morning when I leave home.
    We are in a f**king corrupted world, unfortunately.


  • As you note, if the hackers have the ability to drop a DLL into the Notepad++ application directory, they can probably do just about anything they want. They’re already on the other side of the airtight hatchway, as Raymond Chen would put it.

  • Don,
    Thank you for adding the “Improve multi-line tab: maintaining the selected tab position.” feature. That will make life easier for me. Sadly, that feature seems to have disabled the tab drag-and-drop ability when in mulit-line mode. Maintaining the rows of tabs is more important to me, but if both functions could work together, that would be great.

    Thanks also for doing the scilexer.dll fix. Regardless of how compromised the system is, I’m glad you have the pride to do everything you can to make sure it doesn’t happen in your house.


  • Wear a safety reflector and use anti-virus is all that most people need to know. Patching just 1 car has little effect on overall security.

  • Hi and thanks for all. Maybe, my problem but I see the error of SciLexer.dll starting Notepad++ 32-bit on Win 10 Pro 64-bit Anniversary Edition. Has anyone noticed the same?

  • @GlacialManYT

    What exactly is the error message?
    and do you have a SciLexer.dll in the directory where notepad++.exe has been installed?


  • C:\Program Files (x86)\Notepad++\SciLexer.dll
    CRC32: 7ffc0f72

    Certificate checking
    Check certificate of C:\Program Files (x86)\Notepad++\SciLexer.dll : Impossible to find the specified object

    Exception on WM_CREATE
    ScintillaEditView::init : SCINTILLA ERROR - can not load the dynamic library

  • @GlacialManYT

    and from where did you download notepad++?


  • https://notepad-plus-plus.org/repository/7.x/7.3.3/npp.7.3.3.Installer.exe
    CRC32: 8e15096a
    I also tried to disable AV and to install as admin

    Sorry but I’m a new user, I haven’t earned 2 reputation and I can only post once every 1200 seconds…

  • @GlacialManYT

    OK, I installed VirtualBox and loaded my aged Winodws 10 64bit VM,
    Downloaded npp7.3.3 (32bit) and installed it.
    Started npp - no problem. (The only problem is that it takes ages because of my old pc isn’t really capable of doing it.)

    So what is specific to your setup? Any ideas?


  • @GlacialManYT said:

    Certificate checking
    Check certificate of C:\Program Files (x86)\Notepad++\SciLexer.dll : Impossible to find the specified object

    It seems your SciLexer.dll in C:\Program Files (x86)\Notepad++ is not signed.
    Could you send me your SciLexer.dll to don.h@free.fr please?

  • E-Mail message sent.

  • @GlacialManYT Thank you.
    I have checked. The file (scilexer.dll) is correct.
    Could you

    1. make sure your OS is updated and restart your PC.
    2. download minimalist package both 32/64 bith version from notepad-plus-plus.org, create npp32 & npp32 under *c:\temp*, unzip both into c:\temp\npp32 & c:\temp\npp64 respectively, then give both a try?

  • Hello, Don,

    How are you ? Not too traumatized by the recent CIA Hacking issue. Thank you, for caring about our global security :-))

    Don, from the discussion, between Jean Heck, Mkupper and Claudia :


    I realized some tests. And, indeed, there is a bug, with clickable links, in the last versions of Notepad++

    To reproduce the bug :

    • Create a simple text file, named test.txt under the root C:\ of your machine

    • Start Notepad++

    • Open, first, any file, for instance, the change.log file

    • Now, in a new tab, type the single line, below :


    • Save this text file as Test_Lang.txt

    • Change the language of the Test_Lang.txt file to any language

    • Select the change.log file and, immediately, go back to the Test_Lang.txt file

    ( Note : this “switch” action allows to active the link, again ! )

    • Finally, double-click on the file://C:/test.txt link

    => I noticed that the double-click does NOT work, for the four languages ASP HTML JSP PHP, if the N++'s version is superior or equal to v7.3 !

    For all other languages, included Normal Text, the double-click DOES work and opens, as expected, the test.txt file, in Microsoft Notepad :-)

    Best Regards,


    P.S :

    • Of course, I suppose that the option Enable, in Settings… > Preferences… > MISC. > Clickable Link Settings is checked !

    • Perhaps, the reason(s) why double-click doesn’t work for the four languages ASP, HTML, JSP and PHP is(are) not the same for each of them :-((

  • I believe that enforcing the signature checking for just scilexer.dll is not enough:
    if I were a hacker, after this patching if I still want to hack a Notepad++
    I would just move to the next DLL !
    Question: why not enforce the signature checking for all the Notepad++ DLLs?

  • Hi Don, thanks for your help, I will make the test that you have suggested, as soon as possible. I take this opportunity to point out a small anomaly. When in Notepad++ several files are opened (txt, bat, cmd), if I modify or I delete any of these files, and Notepad++ is opened in background, when I switch to Notepad++ an useful window asks to me if I want to update the situation. The problem comes when I modify or I delete an opened file and, after, without switching to Notepad++, I open a file, I expect that its tab is selected, in the foreground, but, after having responded to the question of the said window, file is not pointed and I must search for it in the open tabs of Notepad++ (that generally are many). After the answer, according to me, should be selected the tab of the last opened file (or in phase of opening). Obviously, if I have modified or deleted some files, the questions are one for each file and, at the end of the answers, as said, should be selected the tab of the last opened file (or in phase of opening). That’s all, not so important but useful.

  • @guy038 @donho

    I’ve opened https://github.com/notepad-plus-plus/notepad-plus-plus/pull/3019 which solves the issue with clicking links in certain file types.

  • @donho : I have deeply uninstalled notepad++ 32-bit v7.3.3 and, after, I have cleaned the registry but the error persists. I have the same problem with all 32-bit versions ( I made a test also with this http://portableapps.com/apps/development/notepadpp_portable ). Instead, all 64-bit versions are working regularly. So, I’m using the 64-bit version also if, for now, I would prefer the 32-bit version, that supports all plug-ins. I can make a test on others Windows 10 Pro 64-bit Anniversary Edition. See you soon.

  • @GlacialManYT

    Can you run ProcMon to see what’s going on?
    Once downloaded, start it, create a filter for SciLexer.dll (Path ends with)
    make sure that (toolbar buttons) file system activity and process and thread activity
    have been pressed and start npp.
    What’s the result?


  • Thanks for your help Claudia, there was a system problem that I solved. Now all is ok.

Log in to reply