Thank you, Coises, for your helpful reply. I truly appreciate your support and guidance.

Regards,
Harmandeep Singh Kandhari

Kaspersky only saw evidence of victims IP addresses in Vietnam, El Salvador, Australia and the Philippines, and noted, “We observed three different infection chains overall, designed to attack about a dozen machines…”.

Thus, it wasn’t just “targeted” – out of all the update attempts that would have happened during the June to December timeframe, it appears there were only a dozen victims: everyone else got a normal, unaffected update, with no malicious payload.

When the attackers redirected victims, the victims got “updaters” which did nothing to notepad++.exe. If every time that automatic updates ran, you saw Notepad++ actually updated, you were not one of the victims.

In case the user runs Notepad++ updater, if the version remains exactly the same after the attempted update, the user can check %LOCALAPPDATA%\Notepad++\log\securityError.log to see what happened & report it.

The developer does not read most posts in this Forum. If you would like to suggest such a move to the developer, I would recommend creating a new Issue at GitHub requesting it (https://github.com/notepad-plus-plus/notepad-plus-plus/issues).

BTW:

5.1-if your home internet speed is fast enough, setup your own web server to your pc under virtualbox(in case of web server software cve’s/rce’s). I or anyone can help with that. Dont forget to hardening server for security.

IMO, this is BAD advice. To suggest to a non-security specialist who runs this as a hobby, that he should self-host, and try to keep up on all the security hardening, is asking him to get hacked even worse than the hack that already happened. He was literally paying a host to provide such services, and the professionals failed; he has now changed providers to a host who has better security procedures.

Believe me it’s not that hard to setup a webserver or harden it, especially while backed by a strong community. The risks are different when hosting at home between hosting remotely. The hosting firm may be offered money to hijack, or an out-of-date hosting management software had rce was waiting to be abused.

@donho

What is that for (is it for specific HW, OS or network analysis)?

Ubuntu on a VPS

Fullname of the forensic SW

“Forensic Extractor”

ballpoint.fr

It’s rather to analyze the results to make sure if anything is OK. Note the VPS is only for the wingup.org, whereas notepad-plus-plus.org is on a sharing hosting service.

Thank you for the ref
I will check this company.

The above instructions are still appropriate for confirming the self-signed certificate, but with the GlobalSign-issued certificate, the procedure is not as critical.

I was unable to save file. Suggested to open as Administrator after accepting my file is empty. It is very important file for me what to do?

Where were you trying to save the file? To somewhere in c:\program files\ or c:\windows or similarly protected area? Or were you trying to save to a normal writeable directory on your machine’s local drive? Or a mounted network drive? Because it only suggests Administrator if it gets a “permission denied” error when you try to write the file.

after accepting my file is empty. It is very important file for me what to do?

Bummer. Unfortunately, if you already restarted Notepad++, and it didn’t have the Settings > Preferences > Backup set to take “session snapshots and periodic backups”, your unsaved changes were never written to disk anywhere. As soon as Notepad++ exited, those bits were removed from active memory, and were lost. Since the files were likely never written to disk, I doubt that an external file-recovery utility like Recuva would work for you, but you might try directing such at the `c:\users<username>\AppData\Roaming\Notepad++\backup

See our FAQ on backups for more details about how the Notepad++ backup settings work, how the AutoSave plugin can help improve things, and best-practice suggestions for avoiding data loss in the future.

Also, I think one of the frequent contributors is actively working on a solution to have Notepad++ be able to get UAC permission for a file-save without needing to restart the application – such a feature would definitely help in your case. Unfortunately, I’ve spent the last few minutes trying to find the Issue or PR where that was being discussed, and haven’t found it yet.

False Positive caused because there is no certificate:

KNOWN ISSUE: https://community.notepad-plus-plus.org/topic/26978/known-issue-the-digital-certificate-is-not-available-in-version-8-8-2

–

UPDATE: With the release of v8.8.7, Notepad++ is once again signed by a GlobalSign-issued certificate, as well as the Notepad++ self-signed certificate.

patching older vulnerable versions

It could be fun, now without the public CA cert available…

As far as I can tell, they were unrelated. Scanners such as VirusTotal look at the executable itself, and last year were being triggered by the lack of signing and the self-signing of the executable.

please confirm if this issue is related to the notepad++ hijack news dated 2nd Feb 2026?

The issue you are referring to, as linked here and described in detail here specifically said,

the compromise occured at the hosting provider level rather than through vulnerabilities in Notepad++ code itself.

This was a website hack, and VirusTotal and other such AV scans do not detect website hacks, as far as I understand them.

See the FAQ, which has the best “table of contents” for the website hack. ALL related followups/discussions must go in Topic: autoupdater and connection to temp.sh.

There are definitely still giant, green “Download” button ads:

Posting screenshots here isn’t helpful, at this point.

And it is better if you just email the malicious links directly to don.h@free.fr , as has been said repeatedly in this discussion.

–

I am locking this thread, as there isn’t anything new to say about this topic

–

If you came here to report a malicious/dangerous download link (and NOTE: not all ads with “download” are malicious or dangerous), then

You could do a survey which plugins your employees need. There can be different needs, e.g. technical staff likely needs other plugins than employees that ar more involved in administrative tasks. Then you can install these plugins on the employee’s machines.

After that you need to rename or delete <install-directory>\updater\GUP.exe to prevent users from installing any other plugins. As long as your employees don’t have admin access to Notepad++'s install directory, they are not able to revert these changes.

The disadvantage is that your users neither will be able to update Notepad++ itself nor the installed plugins. This is something your ICT department has to do.

I would greatly appreciate if anyone did know of some little FOOS tool/script like I mentioned, more reliable than what I’ve hacked together, to help me secure my friends cyber security.

Can people here DM me suggestions?

If there was a discord this could be spun off into a thread.

I’m not sure if it matters to anyone but the suggestions and discussion so far have been really helpful and spot on solving the problem which I’m still using NPP for BTW (such as displaying instructions as we just discussed).

For some perspective, the person I’m trying to help recently lost 7kg in just over a week due to stress and worry from being targeted and harassed by some hacker/scammer that’s been messing with then, trying to take accounts etc for a while now.

I agree it’s not on strictly topic and I don’t expect to discuss this here, it’s just without at least giving a way to continue the discussion elsewhere, given the fact that it’s still directly addressing the goal I initially stated, and the potential consequences to people, it seems kinda callous to just stomp on it like we’re posting cat memes.

So how and where should this be continued, or is that irrelevant?

Is there any way to allow a normal user to update the software without having to provide the user admin rights to the local PC?

Microsoft has defined C:\Program Files\ (and equivalent, though I’ll use that as the generic path going forward in this post) as requiring UAC (elevated privileges, or “Admin privileges”). If someone installs Notepad++ into C:\Program Files\Notepad++\, then it will require admin rights (unless you have disabled UAC on your PC).

If you cannot disable UAC requirements, you could try changing the permission of the C:\Program Files\Notepad++\ directory (and all subdirectories) – which will require UAC/Admin once to be able to change the permissions, but should successfully update thereafter. (That’s what I do on my work machine, since I frequently update Notepad++ or its plugins, and got tired of entering my password every time I did.)

If changing permissions of the installation directory is not something you’re interested in, you might consider installing Notepad++ to a location where you do have write access, instead of in the default C:\Program Files\Notepad++\ – maybe you could create a directory called C:\LocalApps\, and install Notepad++ as C:\LocalApps\Notepad++\ . As long as you installed it as your local, non-privileged user and have appropriate permissions in the C:\LocalApps\ hierarchy, you shouldn’t be pestered for Admin rights on future updates.