top | item 46852351

(no title)

edb_123 | 29 days ago

So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?

Anyway, I hope the author can be a bit more specific about what actually has happened to those unlucky enough to have received these malicious updates. And perhaps a tool to e.g. do a checksum of all Notepad++ files, and compare them to the ones of a verified clean install of the user's installed version, would be a start? Though I would assume these malicious updates would be clever enough to rather have dropped and executed additional files, rather than doing something with the Notepad++ binaries themselves.

And I agree with another comment here. With all those spelling mistakes that notification kind of reads like it could have been written by a state-sponsored actor. Not to be (too) paranoid here, but can we be sure that this is the actual author, and that the new version isn't the malicious one?

discuss

hinkley|29 days ago

This reminds me of college, when some of my professors were still sorting out their curriculum and would give us homework assignments with bugs in it.

I complained many times that they were enabling my innate procrastination by proving over and over again that starting the homework early meant you would get screwed. Every time I'd wait until the people in the forum started sounding optimistic before even looking at the problem statement.

I still think I'd like to have a web of trust system where I let my friends try out software updates first before I do, and my relatives let me try them out before they do.

Nition|29 days ago

Ah, I remember those days. One that wasn't an error exactly was an assignment that had a word limit of 2000 words or something. I'd written maybe 3000 words and spent quite some time cutting it down, getting it to just under the limit. Then someone else who also wrote too many words asked the professor if that was okay and they sent out an update to everyone saying it's fine to ignore the word limit.

skeledrew|29 days ago

> let my friends try out software updates first before I do

And who do they let try the software before they do? And so on... Where does it ended?

dec0dedab0de|29 days ago

They should have just gave out extra credit for finding bugs.

ozim|29 days ago

For windows updates r/sysadmin has people who run updates and post their experience on patch Tuesday.

greazy|29 days ago

I work in a lab as an analyst (bioinformatician), we are register and pay for quality assurance programs that contain an embarrassing about of technical errors.

tasuki|29 days ago

> So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?

Is this surprising? My model is that keeping with the new versions is generally more dangerous than sticking with an old version, unless that old version has specific known and exploitable vulnerabilities.

illiac786|29 days ago

Yes, it is very much atypical. Most hacks happen because admins still haven’t applied a 2 years old patch. I hate updates, but it‘s statistically safer that running an old software version. Try exposing a windows XP to the internet and watch how long it takes before it‘s hacked.

slumberlust|29 days ago

Steve from Security Now podcast has been specifically using Notepad++ as an example of not being able to leave good enough alone for years now. Can't wait to hear him claim his told you so next week.

Love notepad++ and will continue to use it.

FatalLogic|29 days ago

>I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?

Notepad++ site says The incident began from June 2025.

On their downloads page, 8.8.2 was the first update in June 2025 (the previous update 8.8.1 was released 2025-05-05)

So, if your installed version is 8.8.1 or lower, then you should be safe. Assuming that they're right about when the incident began.

edit: Notepad++ has published, on Github, SHA256 hashes of all the binaries for all download versions, which should let users check if they were targeted, if they still have the downloaded file. 8.8.1 is here, for example - https://github.com/notepad-plus-plus/notepad-plus-plus/relea...

JoystickX02|29 days ago

Just checked my 8.7.9 that I installed in April 2025 and never updated. The hash seems to be identical to the version I installed around that time. Seems like it was a good choice to always skip the Update Dialog when using Notepad++ lol.

z3t4|29 days ago

Older download links doesn't seem to work!?

1vuio0pswjnm7|29 days ago

"So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?"

This is true for a large number of software "security" issues

A software version earlier in date/time is not necessarily inferior (or superior) to a version later in date/time

As it is "updated" or rewritten,, software can become worse instead of better, or vice versa, for a vaariety of reasons

Checking software's release date, or enabling/allowing "automatic updates" is not a substitute for reading source code and evaluating software on the merits

otherme123|29 days ago

> And perhaps a tool to e.g. do a checksum of all Notepad++ files, and compare them to the ones of a verified clean install of the user's installed version, would be a start?

Did I understand the attack wrongly? The software could have a 100% correct checksum, because the attack happened in a remote machine that deals with call home events from Notepad++, I guess one of those "Telemetry" add-ons. The attackers did a MITM to Notepad++ traffic.

tempestn|29 days ago

The remote machine that was compromised was responsible for Notepad++ updates, so the concern is that it could cause a compromised version of the software to be installed. But if it could do that, it could probably cause anything to be installed anywhere on the user's machine, so inspecting the installed N++ binary probably wouldn't be too useful.

bulbar|29 days ago

I disable auto update for everything that does not have direct contact with the Internet otherwise (mail app, browser, OS, router,...). Probability for some random app being exploited because updates were skipped is insignificant compared to the probability of a malicious update.

Updates are a direct connection from the Internet to your computer. You want to minimize that.

Just do a manual update from time to time.

jollyllama|27 days ago

Yes, of course you're safer. If your system is working as desired, updates can only break it. This is just Engineering 101, but for whatever reason, all logic is abandoned on the topic of security updates.

user3939382|29 days ago

If there’s anything I’ve learned from IBM, Red Hat, and CentOS, it’s that bleeding edge is actually what I’m supposed to want.

FpUser|29 days ago

8.4.7 here. phew

topspin|29 days ago

8.5.7 here (built Sept 6, 2023)

Now I need to worry about this one. I've been anxious about vscode lately: apparently vscode extensions are a dumpster fire of compromises.

beached_whale|29 days ago

lol, im on 7.3.x for extra safety