<![CDATA[FAQ: February Security Announcement]]>Do Not Create a New Topic or Question

There are too many already. It makes it harder to find the information or makes the regulars repeat themselves over and over and over and over.

The Issue

As originally posted in the forum here:

Security Update - Resolution of Notepad++ Update Server Compromise
https://notepad-plus-plus.org/news/hijacked-incident-info-update/

Was I Affected / What Should I do

This was answered in the immediate reply to that post, in this excellent summary by @xomx

It was further clarified, in the immediate reply to that post, that if you are looking for technical “indicators of compromise”, then read this blog post by the investigators: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ (If the "indicators of compromise are beyond anything that you or your IT group can understand and look for, the chances are slim to none that you were one of the highly-targeted victims of the malicious redirect.)

Other Frequently Asked Questions

But what about me specifically?

Not likely. See the excellent summary already linked above.

How do I clean up?

Scan with AV software and manually installing the v8.9.1 (by downloading from the v8.9.1 release page on GitHub). But you should regularly be doing the first, anyway.

What might they have stolen

The reports do not indicate what information they might have gotten access to. They might have been able to take information, so if you know you were affected, rotating any passwords that might have been visible during that timeframe would be wise.

Are the binaries / executables / DLLs safe?

The official notepad++.exe executable and the installer executables provided on GitHub were not affected by the website compromise.

  • For Notepad++ v8.8.7 and newer: If you right click on notepad++.exe, and go to Digital Signatures, the Embedded Signatures section will include NOTEPAD++, and that signature will contain a countersignature by Globalsign TSA for CodeSign1 - R6.
  • For Notepad++ v8.8.3 - v8.8.6, it will be “self signed”. Most security experts do not trust self-signed, so the best advice: if you are not confident in how you installed those versions, download and run the most recent installer from the v8.9.1 release page on GitHub, just to be sure
  • Notepad++ v8.8.2 was not signed at all. Best advice: if you are not confident in how you installed that versions, download and run the most recent installer from the v8.9.1 release page on GitHub, just to be sure
  • If you have any version older than v8.8.2 from June 2025, it is self-evident that you have not been running with the auto-updater enabled, and you don’t need to be worried, because it was only the website response to the auto-updater that was compromised

But are they safe?

If you have a valid v8.8.8 or newer (with v8.9.1 recommended), then the binary and the auto-update procedure are safe, as the vulnerabilities on the application side were fixed in the v8.8.8 auto-update procedure; and the website vulnerability was also fixed.

If you are still unsure, manually re-install

If nothing that has been said in all the linked posts nor in this FAQ have explained what you think you need: manually install using the v8.9.1 installer downloaded directly from the GitHub release page. After doing that, your Notepad++ will be the real version (as it likely has been this whole time).

Followup Questions

If you have a new question not yet asked and/or answered in this FAQ, please reply to Topic: autoupdater and connection to temp.sh, as that is the only discussion in this Forum about the issue that the Developer is paying attention to.

Do Not Create a New Topic or Question

New Topics and Questions will be Locked With a pointer to this FAQ

There are too many already. It makes it harder to find the information or makes the regulars repeat themselves over and over and over and over. ALL followups must go in Topic: autoupdater and connection to temp.sh

]]>https://community.notepad-plus-plus.org/topic/27388/faq-february-security-announcementRSS for NodeSun, 10 May 2026 10:36:19 GMTWed, 04 Feb 2026 21:17:29 GMT60<![CDATA[Reply to FAQ: February Security Announcement on Sat, 07 Feb 2026 19:51:28 GMT]]>Updates with new clarifications from this comment:

Target Information

Kaspersky only saw evidence of victims IP addresses in Vietnam, El Salvador, Australia and the Philippines, and noted, “We observed three different infection chains overall, designed to attack about a dozen machines…”.

Thus, it wasn’t just “targeted” – out of all the update attempts that would have happened during the June to December timeframe, it appears there were only a dozen victims: everyone else got a normal, unaffected update, with no malicious payload.

Obvious Side-effect: Notepad++ Not Actually Updated after “Update”

When the attackers redirected victims, the victims got “updaters” which did nothing to notepad++.exe. If every time that automatic updates ran, you saw Notepad++ actually updated, you were not one of the victims.

In case the user runs Notepad++ updater, if the version remains exactly the same after the attempted update, the user can check %LOCALAPPDATA%\Notepad++\log\securityError.log to see what happened & report it.

]]>https://community.notepad-plus-plus.org/post/104681https://community.notepad-plus-plus.org/post/104681Sat, 07 Feb 2026 19:51:28 GMT<![CDATA[Reply to FAQ: February Security Announcement on Fri, 06 Feb 2026 18:08:31 GMT]]>Clarification

Since people still don’t seem to get it, despite all these, I will try to boil it down more.

This was not some wide net, where they were trying to attack as many as they could. It was highly targeted, with only a very small number of targets.

Are you a member of a high-value organization that might reasonably be targeted by a nation-state?

If you know you are, then you need to have your IT follow the technical links from above, because they will be able to understand the “indicators of compromise”

If you are unsure if you are a member of such a team, you probably are not. But the following can help you clarify:

  • Is the team you are a part of outspoken in its criticism or opposition to one or more aggressive nation-states, especially if it’s mentioned in the announcements?
  • Are you an individual user who is outspoken in your criticism or opposition to one or more aggressive nation-states, especially if it’s mentioned in the announcements?

If your answer to either of those is NO, then you are not a member of a high-value organization.

If you are not a member of a high-value organization

The next steps are easy: run a virus/malware scanner, then install v8.9.1 from official sources, as described in How do I clean up, above.

Short Version: Don’t Overthink This

If you or your team is outspoken against the nation-state mentioned, or you know that your team is a high-value organization to such a nation-state, find the person on your team who is the IT security expert, and have them look for the indicators of compromise. If you are uncertain, then you almost certainly weren’t the target; but if you have an IT department, they can still look for indicators of compromise.

Either way, the next steps are the same: run a virus/malware scanner, then manually install the newest version, and you will be safe going forward.

]]>https://community.notepad-plus-plus.org/post/104657https://community.notepad-plus-plus.org/post/104657Fri, 06 Feb 2026 18:08:31 GMT<![CDATA[Reply to FAQ: February Security Announcement on Thu, 05 Feb 2026 03:39:47 GMT]]>Important Clarification: Notepad++ Security Incident (Indicators of Compromise provided by our former hosting provider is included):
https://notepad-plus-plus.org/news/clarification-security-incident/

]]>https://community.notepad-plus-plus.org/post/104620https://community.notepad-plus-plus.org/post/104620Thu, 05 Feb 2026 03:39:47 GMT