Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN102 _____________________________________________________________________ DATE : 02/02/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Notepad++ versions prior to 8.9.2. ===================================================================== https://notepad-plus-plus.org/news/hijacked-incident-info-update/ https://notepad-plus-plus.org/news/v889-released/ _____________________________________________________________________ Notepad++ Hijacked by State-Sponsored Hackers 2026-02-02 Following the security disclosure published in the v8.8.9 announcement https://notepad-plus-plus.org/news/v889-released/ the investigation has continued in collaboration with external experts and with the full involvement of my (now former) shared hosting provider. According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org. The exact technical mechanism remains under investigation, though the compromise occured at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests. The incident began from June 2025. Multiple independaent security researchers have assessed that the threat acotor is likely a Chinese state-sponsored group, which would explain the highly selective targeting obseved during the campaign. An incident-response (IR) plan was proposed by the security expert, and I facilitated direct communication between the hosting provider and the IR team. After the IR team engaged with the provider and reviewed the situation, I received the following detailed statement from the provider: Dear Customer, We want to further update you following the previous communication with us about your server compromise and further investigation with your incident response team. We discovered the suspicious events in our logs, which indicate that the server (where your application https://notepad-plus-plus.org/update/getDownloadUrl.php was hosted until the 1st of December, 2025) could have been compromised. As a precautionary measure, we immediately transferred all clients’ web hosting subscriptions from this server to a new server and continued our further investigation. Here are the key finding points: 1. The shared hosting server in question was compromised until the 2nd of September, 2025. On this particular date, the server had scheduled maintenance where the kernel and firmware were updated. After this date, we could not identify any similar patterns in logs, and this indicates that bad actors have lost access to the server. We also find no evidence of similar patterns on any other shared hosting servers. 2. Even though the bad actors have lost access to the server from the 2nd of September, 2025, they maintained the credentials of our internal services existing on that server until the 2nd of December, which could have allowed the malicious actors to redirect some of the traffic going to https://notepad-plus-plus.org/getDownloadUrl.php to their own servers and return the updates download URL with compromised updates. 3. Based on our logs, we see no other clients hosted on this particular server being targeted. The bad actors specifically searched for https://notepad-plus-plus.org/ domain with the goal to intercept the traffic to your website, as they might know the then-existing Notepad++ vulnerabilities related to insufficient update verification controls. 4. After concluding our research, the investigated security findings were no longer observed in the web hosting systems from the 2nd of December, 2025, and onwards, as: * We have fixed vulnerabilities, which could have been used to target Notepad++. In particular, we do have logs indicating that the bad actor tried to re-exploit one of the fixed vulnerabilities; however, the attempt did not succeed after the fix was implemented. * We have rotated all the credentials that bad actors could have obtained until the 2nd of September, 2025. * We have checked the logs for similar patterns in all web hosting servers and couldn’t find any evidence of systems being compromised, exploited in a similar way, or data breached. While we have rotated all the secrets on our end, below you will find the preventive actions you should take to maximize your security. However, if below actions have been done after the 2nd of December, 2025, no actions are needed from your side. * Change credentials for SSH, FTP/SFTP, and MySQL database. * Review administrator accounts for your WordPress sites (if you have any), change their passwords, and remove unnecessary users. * Update your WordPress sites (if you have any) plugins, themes, and core version, and turn on automatic updates, if applicable. We appreciate your cooperation and understanding. Please let us know in case you have any questions. TL;DR According to the former hosting provider, the shared hosting server was compromised until September 2, 2025. Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers. The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++. All remediation and security hardening were completed by the provider by December 2, 2025, successfully blocking further attacker activity. Note on timelines: The security expert’s analysis indicates the attack ceased on November 10, 2025, while the hosting provider’s statement shows potential attacker access until December 2, 2025. Based on both assessment, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated. To address this severe security issue, the Notepad++ website has been migrated to a new hosting provider with significantly stronger security practices. Within Notepad++ itself, WinGup (the updater) was enhanced in v8.8.9 to verify both the certificate and the signature of the downloaded installer. Additionally, the XML returned by the update server is now signed (XMLDSig), and the certificate & signature verification will be enforced starting with upcoming v8.9.2, expected in about one month. I deeply apologize to all users affected by this hijacking. I recommand downloading v8.9.1 (which includes the relevant security enhancement) and running the installer to update your Notepad++ manually. With these changes and reinforcements, I believe the situation has been fully resolved. Fingers crossed. _____________________________________________________________________ Notepad++ v8.8.9 release: Vulnerability-fix 2025-12-09 Some security experts recently reported incidents of traffic hijacking affecting Notepad++. According to the investigation, traffic from WinGUp (the Notepad++ updater) was occasionally redirected to malicious servers, resulting in the download of compromised executables. The review of the reports led to identification of a weakness in the way the updater validates the integrity and authenticity of the downloaded update file. In case an attacker is able to intercept the network traffic between the updater client and the Notepad++ update infrastructure, this weakness can be leveraged by an attacker to prompt the updater to download and executed an unwanted binary (instead of the legitimate Notepad++ update binary). To mitigate this weakness and address the hijacking’s concerns raised by the security researchers, a new security enhancement is being introduced in this release of Notepad++. Mitigation: Starting with this release, Notepad++ & WinGUp have been hardened to verify the signature & certificate of downloaded installers during the update process. If verification fails, the update will be aborted. Status: The investigation is ongoing to determine the exact method of traffic hijacking. Users will be informed once tangible evidence regarding the cause is established. Note that starting with v8.8.7, Notepad++ binaries - including the installer - are digitally signed using a legitimate certificate issued by GlobalSign. As a result, Installation of the Notepad++ root certificate is no longer required. We recommend that users who have previously installed the root certificate remove it. Besides the vulnerability-fix mentioned above, this release includes various bug-fixes & some additional enhancements. You can view the full list of improvements for version 8.8.9 and download it here: Regression and critical bug report here: https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================