TL;DR
According to the former hosting provider, the shared hosting server was compromised until September 2, 2025. Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers. The attackers specifically targeted the Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++. All remediation and security hardening was completed by the provider by December 2, 2025, successfully blocking further attacker activity.
Note on timelines: The security expert’s analysis indicates the attack ceased on November 10, 2025, while the hosting provider’s statement shows potential attacker access until December 2, 2025. Based on both assessments, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated.
To address this severe security issue, the Notepad++ website has been migrated to a new hosting provider with significantly stronger security practices.
Within Notepad++ itself, WinGup (the updater) was enhanced in v8.8.9 to verify both the certificate and the signature of the downloaded installer. Additionally, the XML returned by the update server is now signed (XMLDSig), and the certificate & signature verification will be enforced starting with upcoming v8.9.2, expected in about one month.
I deeply apologize to all users affected by this hijacking. I recommend downloading v8.9.1 (which includes the relevant security enhancement) and running the installer to update your Notepad++ manually.
With these changes and reinforcements, I believe the situation has been fully resolved. Fingers crossed.
Edit (February 2, 2026): I’ve got a lot of emails requesting the IoC (Indicator of Compromise). I unfortunately do not have any IoCs to share. Our IR team spent a week analyzing roughly 400 GB of server logs provided by the former hosting provider. While signs of an intrusion were identified, no concrete indicators of compromise - such as binary hashes, domains, or IP addresses - were found. We also requested IoCs directly from the former hosting provider, but we were not able to obtain any.
