"The admission comes after version 8.8.9 of the text editor was released on December 9. The "hardened" version verified the signature and certificate of downloaded installers during the update process. On December 27, version 8.9 was released, which dropped the use of a self-signed certificate. The project said: "Only the legitimate certificate issued by GlobalSign is now used to sign Notepad++ release binaries. We strongly recommend that users who previously installed the self-signed root certificate remove it.""
"The incident began in June, according to Notepad++. The shared hosting service was compromised until September 2, and even after losing access, the attackers retained credentials for internal services until December 2. While investigations indicate the attack ended on November 10, Notepad++'s author wrote: "I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated.""
State-sponsored attackers compromised Notepad++'s update infrastructure in 2025, redirecting certain targeted users to attacker-controlled malicious update manifests. A compromised shared hosting server and inadequate update verification in older versions enabled the intrusion and persistence. Version 8.8.9 added signature and certificate verification, while version 8.9 removed a self-signed root and now uses only a GlobalSign-issued certificate. The hosting compromise lasted until September 2, and attackers retained internal credentials until December 2, with investigations indicating activity through November 10. Users are advised to remove any previously installed self-signed root certificate and update to the hardened release.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]