https://notepad-plus-plus.org/news/ Recent content in News on Notepad++ Hugo -- gohugo.io en-us Sat, 21 Mar 2026 00:00:00 +0000 https://notepad-plus-plus.org/news/v893-released/ Sat, 21 Mar 2026 00:00:00 +0000 https://notepad-plus-plus.org/news/v893-released/ 2026-03-26 In order to improve the performance of reading & writing Notepad++ configuration files, the migration of a new XML parser (pugixml) has been carried out over several versions, and it is now completed in this release. Several regressions detected in previous versions, caused by the XML parser migration, have also been fixed. Some bugs have been resolved and a few new improvements have been added in the 8.9.3 release. https://notepad-plus-plus.org/news/v892-released/ Sun, 15 Feb 2026 00:00:00 +0000 https://notepad-plus-plus.org/news/v892-released/ 2026-02-16 “the XML returned by the update server is now signed (XMLDSig), and the certificate & signature verification will be enforced starting with upcoming v8.9.2, expected in about one month.“ As promised in the announcement Notepad++ Hijacked by State-Sponsored Hackers, this release strengthens the weakest links in Notepad++ update process. Below is an illustration of how the Notepad++ update mechanism was previously hijacked: With security enhancements introduced in v8. https://notepad-plus-plus.org/news/clarification-security-incident/ Thu, 05 Feb 2026 00:00:00 +0000 https://notepad-plus-plus.org/news/clarification-security-incident/ 2026-02-05 After the publication of Notepad++ Hijacked by State-Sponsored Hackers, we’ve received many questions from concerned users. Here’s what you need to know: What Was Actually Compromised? Notepad++ itself was NOT hacked. The issue was with the auto-updater component (WinGup), which was exploited through a compromise of our former hosting provider’s infrastructure. The Notepad++ application you’ve been using remains safe and secure. Who Was Targeted? This was a highly selective attack by a state-sponsored group targeting specific high-value organizations. https://notepad-plus-plus.org/news/hijacked-incident-info-update/ Sat, 31 Jan 2026 00:00:00 +0000 https://notepad-plus-plus.org/news/hijacked-incident-info-update/ 2026-02-02 Following the security disclosure published in the v8.8.9 announcement https://notepad-plus-plus.org/news/v889-released/ the investigation has continued in collaboration with external experts and with the full involvement of my (now former) shared hosting provider. According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org. The exact technical mechanism remains under investigation, though the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. https://notepad-plus-plus.org/news/v891-released/ Mon, 26 Jan 2026 00:00:00 +0000 https://notepad-plus-plus.org/news/v891-released/ 2026-01-26 Several regressions were fixed in release 8.9.1: playback of macros that dulicated EOL, no matches found when pasting from Excel into the Find what field, and a regression in the customized context menu where the separator (id=“0”) escapes FolderName submenu. A long-standing bug was also fixed in this version: a single undo reverted multiple changes after macro execution. In addition to the fixed issues mentioned above, this release includes various bug-fixes & a few additional enhancements. https://notepad-plus-plus.org/news/v89-released/ Sat, 27 Dec 2025 00:00:00 +0000 https://notepad-plus-plus.org/news/v89-released/ 2025-12-27 Though the version number is major, this release itself is not a major update, and it contains regression-fix & enhancements. The self-signed certificate is no longer used as of this release. Only the legitimate certificate issued by GlobalSign is now used to sign Notepad++ release binaries. We strongly recommend that users who previously installed the self-signed root certificate remove it. A log of security errors encountered during Notepad++ updates is now generated automatically. https://notepad-plus-plus.org/news/v889-released/ Mon, 08 Dec 2025 00:00:00 +0000 https://notepad-plus-plus.org/news/v889-released/ 2025-12-09 Some security experts recently reported incidents of traffic hijacking affecting Notepad++. According to the investigation, traffic from WinGUp (the Notepad++ updater) was occasionally redirected to malicious servers, resulting in the download of compromised executables. The review of the reports led to identification of a weakness in the way the updater validates the integrity and authenticity of the downloaded update file. In case an attacker is able to intercept the network traffic between the updater client and the Notepad++ update infrastructure, this weakness can be leveraged by an attacker to prompt the updater to download and executed an unwanted binary (instead of the legitimate Notepad++ update binary). https://notepad-plus-plus.org/news/v888-released/ Tue, 18 Nov 2025 00:00:00 +0000 https://notepad-plus-plus.org/news/v888-released/ 2025-11-18 I have been in contact with some security experts over the past 2 weeks and have identified a potential hijacking issue in WinGUp, the auto-updater developed for and used by Notepad++. This issue has been addressed in the latest release. Users are encouraged to manually download & upgrade Notepad++ using the official installer. One of most wanted features - the MSI installer - is now available. It is intended for enterprise IT deployment only and may require iterative refinement to be fully usfull. https://notepad-plus-plus.org/news/v887-released/ Sat, 18 Oct 2025 00:00:00 +0000 https://notepad-plus-plus.org/news/v887-released/ 2025-10-20 With this release v8.8.7 Notepad++ is now signed by a legitimate certificate issued by GlobalSign. This is a major security milestone, and it should permanently resolve all concerns regarding the authenticity and integrity of Notepad++ releases (which were present since v8.8.2, when the previous certificate expired). It’s been a challenging few months, struggling with administrative hurdles and dealing with certificate authorities to make this happen. Essentially, for an open-source project to obtain a certificate under its name, it must be recognized as a business entity. https://notepad-plus-plus.org/news/v886-released/ Thu, 02 Oct 2025 00:00:00 +0000 https://notepad-plus-plus.org/news/v886-released/ 2025-10-07 CVE-2025-56383 is one of the most absurd entries we’ve ever seen in the National Vulnerability Database. It’s misclassified under CWE-427: Uncontrolled Search Path Element. Yet the provided POC shows no connection to CWE-427. Notepad++ & its plugins are installed by default in the protected “Program Files” directory, requiring administrator privileges to modify. If an attacker already has those rights, they could replace any system file - so targeting a plugin is pointless. https://notepad-plus-plus.org/news/v885-released/ Wed, 13 Aug 2025 00:00:00 +0000 https://notepad-plus-plus.org/news/v885-released/ 2025-08-14 This release, like the previous version v8.8.3, is signed with the self-signed certificate. If your antivirus complains that the 8.8.5 version you downloaded here contains a virus or malware, this is likely a false positive. Please report it to the antivirus company. The release contains several bug fixes & enhancements. You can check the full list of improvements for version 8.8.5 and download it here: Regression and critical bug report here: https://community. https://notepad-plus-plus.org/news/v884-released/ Sat, 09 Aug 2025 00:00:00 +0000 https://notepad-plus-plus.org/news/v884-released/ 2025-08-12 There is a critical regression in release v8.8.4. Please use v8.8.5 instead. https://notepad-plus-plus.org/news/v883-self-signed-certificate/ Fri, 04 Jul 2025 00:00:00 +0000 https://notepad-plus-plus.org/news/v883-self-signed-certificate/ 2025-07-09 “Sometimes, when one door closes (lack of code signing) in life, another one opens (vulnerability) .” The sentence sumarizes well the situation in the previous version, 8.8.2. There were - and still are - many false-positives reported in the previous version v8.8.2, by the antivirus software due to the absence of Windows code signing certificate. To prevent this issue from recurring in future releases, from this version the Notepad++ release is signed with a certificate issued by a self-signed Certificate Authority (CA). https://notepad-plus-plus.org/news/v882-fix-security-issue/ Mon, 30 Jun 2025 00:00:00 +0000 https://notepad-plus-plus.org/news/v882-fix-security-issue/ 2025-06-30 If your virus scanner reports malware in this release (a false positive), or you see the yellow UAC popup while installing this new version of Notepad++, don’t panic. It’s due to the absence of Windows code signing procedure. An explanation has been provided in the previous announcement. Although this release lacks a Windows code signing certificate, Notepad++ still provides a GPG signature. To protect against MITM attacks, use Gpg4win or Kleopatra, or at least verify the downloaded files using the puplished SHA256 fingerprint. https://notepad-plus-plus.org/news/8.8.2-available-in-1-week-without-certificate/ Tue, 24 Jun 2025 00:00:00 +0000 https://notepad-plus-plus.org/news/8.8.2-available-in-1-week-without-certificate/ 2025-06-25 The Notepad++ code signing certificate issued by DigiCert expired on the May 15, 2025. Unfortunately it seems the project no longer meets the validation criteria, and the publisher name “Notepad++” has been rejected. I fully understand the validation team’s position and want to thank DigiCert for their generous donation of 3 certificates over 9 years (2016 - 2025). Notepad++ is an open source project without a registered business entity, which makes traditional validation challenging. https://notepad-plus-plus.org/news/v881-we-are-with-ukraine/ Mon, 05 May 2025 00:00:00 +0000 https://notepad-plus-plus.org/news/v881-we-are-with-ukraine/ 2025-05-05 The release 8.8.1 follows the previous one and continues to show support for Ukraine. Edit: Just after v8.8.1 was released, I received the following email in French: “Dis connard tu soutiens l’Ukraine? Et tu bloques les IP Russes? Petit con tu sais pas ce qu’est un VPS (I guess he meant “VPN”) ? Va donc te battre en Ukraine contre mes potes, petit batard! On va inserer un trojan dans ton logiciel de merde et le distribuer en France. https://notepad-plus-plus.org/news/v88-we-are-with-ukraine/ Sun, 27 Apr 2025 00:00:00 +0000 https://notepad-plus-plus.org/news/v88-we-are-with-ukraine/ 2025-04-28 Thank you to everyone who has written to show their support since the previous release v8.7.9 - We Are With Ukraine. It’s heartening to see that so many people continue to share the same common sense. I apologize for not being able to respond to each of you individually. The release 8.8 reaffirms our support for Ukraine. As you can see in the images above, Toolbar Fluent icons can now be colored dynamically with custom colors in the 8. https://notepad-plus-plus.org/news/v879-we-are-with-ukraine/ Wed, 26 Mar 2025 00:00:00 +0000 https://notepad-plus-plus.org/news/v879-we-are-with-ukraine/ 2025-04-02 I received a lot of feedback regarding the previous release, v8.7.8, titled “We are with Ukraine”. While some expressed gratitude, the majority consisted of ridicule and insults. I sincerely apologize for any discomfort or anger the last version may have caused. As a gesture of my sincere apologies, the latest release, v8.7.9, continues to show support for Ukraine. In the 8.7.9 release, due to fixes for two syntax highlighting regressions, some performance improvements for handling large files from versions 8. https://notepad-plus-plus.org/news/v878-we-are-with-ukraine/ Fri, 07 Mar 2025 00:00:00 +0000 https://notepad-plus-plus.org/news/v878-we-are-with-ukraine/ 2025-03-08 “When a clown moves into a palace, he doesn’t become a king. The palace becomes a circus.” This phrase summarizes what happened after Trump’s second term, particularly the recent meeting with the Ukrainian President Zelensky, the subsequent halt of Ukraine military support. French Senator Claude Malhuret has aptly addressed the situation with insightful suggestions, which you can watch with English subtitles here. These events remind us of the importance of standing firm in support of those who fight for their sovereignty, dignity and freedom. https://notepad-plus-plus.org/news/v877-released/ Fri, 07 Feb 2025 00:00:00 +0000 https://notepad-plus-plus.org/news/v877-released/ 2025-02-07 The release of v8.7.7 addresses the regression in v8.7.6 related to certain SCN_MODIFIED notification events with a few plugins. Version 8.7.7 includes the new API NPPM_ADDSCNMODIFIEDFLAGS with the following implementation: https://community.notepad-plus-plus.org/topic/26595/new-api-to-fix-eventual-regression-regarding-scn_modified-for-some-plugins?_=1738239716763 Download v8.7.7 here: Do more to stop war - keep helping Ukraine Donate to Ukraine Regression and critical bug report here: https://community.notepad-plus-plus.org/topic/26615/notepad-v8-7-7-released