Community
    • Login

    FAQ: February Security Announcement

    Scheduled Pinned until 3/1/26, 9:17 PM Locked Moved Security
    1 Posts 1 Posters 31 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • PeterJonesP
      PeterJones
      last edited by PeterJones

      Do Not Create a New Topic or Question

      There are too many already. It makes it harder to find the information or makes the regulars repeat themselves over and over and over and over.

      The Issue

      As originally posted in the forum here:

      Security Update - Resolution of Notepad++ Update Server Compromise
      https://notepad-plus-plus.org/news/hijacked-incident-info-update/

      Was I Affected / What Should I do

      This was answered in the immediate reply to that post, in this excellent summary by @xomx

      It was further clarified, in the immediate reply to that post, that if you are looking for technical “indicators of compromise”, then read this blog post by the investigators: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ (If the "indicators of compromise are beyond anything that you or your IT group can understand and look for, the chances are slim to none that you were one of the highly-targeted victims of the malicious redirect.)

      Other Frequently Asked Questions

      But what about me specifically?

      Not likely. See the excellent summary already linked above.

      How do I clean up?

      Scan with AV software and manually installing the v8.9.1 (by downloading from the v8.9.1 release page on GitHub). But you should regularly be doing the first, anyway.

      What might they have stolen

      The reports do not indicate what information they might have gotten access to. They might have been able to take information, so if you know you were affected, rotating any passwords that might have been visible during that timeframe would be wise.

      Are the binaries / executables / DLLs safe?

      The official notepad++.exe executable and the installer executables provided on GitHub were not affected by the website compromise.

      • For Notepad++ v8.8.7 and newer: If you right click on notepad++.exe, and go to Digital Signatures, the Embedded Signatures section will include NOTEPAD++, and that signature will contain a countersignature by Globalsign TSA for CodeSign1 - R6.
        • If v8.8.7 or newer does not contain that signnature, download and run the most recent installer from the v8.9.1 release page on GitHub, just to be sure
      • For Notepad++ v8.8.3 - v8.8.6, it will be “self signed”. Most security experts do not trust self-signed, so the best advice: if you are not confident in how you installed those versions, download and run the most recent installer from the v8.9.1 release page on GitHub, just to be sure
      • Notepad++ v8.8.2 was not signed at all. Best advice: if you are not confident in how you installed that versions, download and run the most recent installer from the v8.9.1 release page on GitHub, just to be sure
      • If you have any version older than v8.8.2 from June 2025, it is self-evident that you have not been running with the auto-updater enabled, and you don’t need to be worried, because it was only the website response to the auto-updater that was compromised

      But are they safe?

      If you have a valid v8.8.8 or newer (with v8.9.1 recommended), then the binary and the auto-update procedure are safe, as the vulnerabilities on the application side were fixed in the v8.8.8 auto-update procedure; and the website vulnerability was also fixed.

      If you are still unsure, manually re-install

      If nothing that has been said in all the linked posts nor in this FAQ have explained what you think you need: manually install using the v8.9.1 installer downloaded directly from the GitHub release page. After doing that, your Notepad++ will be the real version (as it likely has been this whole time).

      Followup Questions

      If you have a new question not yet asked and/or answered in this FAQ, please reply to Topic: autoupdater and connection to temp.sh, as that is the only discussion in this Forum about the issue that the Developer is paying attention to.

      Do Not Create a New Topic or Question

      New Topics and Questions will be Locked With a pointer to this FAQ

      There are too many already. It makes it harder to find the information or makes the regulars repeat themselves over and over and over and over. ALL followups must go in Topic: autoupdater and connection to temp.sh

      1 Reply Last reply Reply Quote 0
      • PeterJonesP PeterJones pinned this topic
      • PeterJonesP PeterJones locked this topic
      • First post
        Last post
      The Community of users of the Notepad++ text editor.
      Powered by NodeBB | Contributors