Backdoor in Notepad++

Hackers associated with the Chinese government used a Trojaned version of Notepad++ to deliver malware to selected users.

Notepad++ said that officials with the unnamed provider hosting the update infrastructure consulted with incident responders and found that it remained compromised until September 2. Even then, the attackers maintained credentials to the internal services until December 2, a capability that allowed them to continue redirecting selected update traffic to malicious servers. The threat actor “specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.” Event logs indicate that the hackers tried to re-exploit one of the weaknesses after it was fixed but that the attempt failed.

Make sure you’re running at least version 8.9.1.

Tags: , , ,

Posted on February 5, 2026 at 7:00 AM4 Comments

Comments

Q February 5, 2026 7:17 AM

So the “auto-update to stay protected” claims are false. It becomes “auto-update to expose yourself to risk”. I thought everyone had learned this after Microsoft shit the bed with the Windows 7 “Security” updates that were ads for Windows 10.

No thanks. I’ll download what I need, verify it does what I need without any “bonus” functionality, and keep it like that; no updates required.

Beside, notepad++ is a text editor, what does it need updates for? Apparently it needs them to download exploits.

I have a firewall in my setup that blocks everything by default. Both incoming and outgoing. Even the kernel can’t update the clock with NTP. Only the browser gets to see the outside world, and then only from inside a VM. So good luck to any app that tries to “phone home”, or remotely download unvetted code to install.

Ulf Dittmer February 5, 2026 8:34 AM

@wiredog

To some degree – IMO it says more about the security of AquaRay’s hosting arrangements than about the people behind Notepad++: the notepad-plus-plus.org web site got hacked, not the app.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.