256
Well this sucks
Good thing I always ignore notepad++ updates. I mean, good on the devs for active development, but having a user-intervention-required update option every time I launch? Feels clunky.
You would prefer it automatically pull down and install malware?
I think they want them to reduce the release frequency.
Software should have version notification settings like, All, Security Only, Major Release, etc.
While I enjoy staying current, I don’t need the 2.1.3.2.1.000000023 release where someone fixes a minor bug in a niche feature that I have never used to begin with.
I'd love that. Some things I'm willing to be on beta release. Some things I just want to be invisible and silent unless there's a security problem.
Security updates are critical but otherwise, it seems like every time I "update" it breaks something I finally got working.
I mean, isn't that what Windows does anyway?
I'd obviously prefer Notepad++ didn't auto-install malware. Steam and Discord force auto-updates on every launch and do so without user intervention. I haven't knowingly been burned by either yet, but they're bigger players with more resources than Notepad++.
Anyone know if this affected updates through winget?
Last I checked the source of the winget package was github, which is the same on the official website. So I would imagine that updating via Winget is just as vulnerable. The details are super vague.
Edit: Somebody else commented that it was only auto-update that was compromised, and winget would be considered a manual update because it download from their github. So I think winget may be safe.
Dont quote me on that though, the information is still super vague and I am going off of somebody else's comment.
From their blog post, it seems the software itself and its code was unaffected, but the attack was only on the website?
Sort of. The program uses a specific part of the website for its auto update. And it also didn’t do any kinds of TLS (https) validation (which would prevent changing the destination). They also signed their installers (which would throw an error if the file had been modified) but the auto update didn’t check for a valid signature. So basically the two big things that a browser would do when you visit the site to download the installer, the auto updater just… Wasn’t doing.
So people who visited the site to manually download the installer were fine. They would have been alerted if the TLS cert was invalid or if the installer wasn’t properly signed. But if you used the auto updater, you wouldn’t get any of those errors and it would happily install the malware.
Fuck.
Anyone have an open source alternate that has commensurate features as N++
Getting increasingly paranoid about the software I allow on my devices and now that I have a self-hosted LLM, I can feed it the source code and cross-reference it on 5Gb of CVE databases I've trained it on to ensure sanitary code.
Just to be clear, N++ wasn't compromised, the shared web host running the auto update infrastructure was. They responsibly disclosed it and shared safety steps. I don't know if it is time to bail on them yet.
Sounds like manual updates were fine?
Yes, that's the current consensus. Only the auto-update infrastructure was compromised, and it was a shared hosting compromise.
Some options are atom, brackets/phoenix, lime text. I went with gVim for now.
Atom's final release was in 2022.
I just found out it was acquired and buried to promote VS Code. That's awful.
Kate.
Traffic from certain targeted users was selectively redirected to attacker-controlled malicious update manifests.
I don't want to sound dismissive, but at the same time, if you're wondering, "Does this affect me and my computer?" the answer is almost certainly "no." It's scary anyway.
I would have guessed NPP had an option to disable check-for-updates every time it starts, but I couldn't find one.
Yeah it does. It's in Settings > Preferences > Misc. There's a dropdown to disable automatic updates.
Thanks, yes, I've got "Auto-updater" set to "disable," but NPP still checks in with the mothership when it starts, and notifies the user when updates are available.
There should be a way to disable that. I swear I've disabled it before, but I don't run Windows anymore, so I can't check it.
this post was submitted on 03 Feb 2026
256 points (99.6% liked)
News
35471 readers
2680 users here now
Welcome to the News community!
Rules:
1. Be civil
Attack the argument, not the person. No racism/sexism/bigotry. Good faith argumentation only. This includes accusing another user of being a bot or paid actor. Trolling is uncivil and is grounds for removal and/or a community ban. Do not respond to rule-breaking content; report it and move on.
2. All posts should contain a source (url) that is as reliable and unbiased as possible and must only contain one link.
Obvious right or left wing sources will be removed at the mods discretion. Supporting links can be added in comments or posted seperately but not to the post body.
3. No bots, spam or self-promotion.
Only approved bots, which follow the guidelines for bots set by the instance, are allowed.
4. Post titles should be the same as the article used as source.
Posts which titles don’t match the source won’t be removed, but the autoMod will notify you, and if your title misrepresents the original article, the post will be deleted. If the site changed their headline, the bot might still contact you, just ignore it, we won’t delete your post.
5. Only recent news is allowed.
Posts must be news from the most recent 30 days.
6. All posts must be news articles.
No opinion pieces, Listicles, editorials or celebrity gossip is allowed. All posts will be judged on a case-by-case basis.
7. No duplicate posts.
If a source you used was already posted by someone else, the autoMod will leave a message. Please remove your post if the autoMod is correct. If the post that matches your post is very old, we refer you to rule 5.
8. Misinformation is prohibited.
Misinformation / propaganda is strictly prohibited. Any comment or post containing or linking to misinformation will be removed. If you feel that your post has been removed in error, credible sources must be provided.
9. No link shorteners.
The auto mod will contact you if a link shortener is detected, please delete your post if they are right.
10. Don't copy entire article in your post body
For copyright reasons, you are not allowed to copy an entire article into your post body. This is an instance wide rule, that is strictly enforced in this community.
founded 2 years ago
MODERATORS