209
Well this sucks
this post was submitted on 03 Feb 2026
209 points (99.5% liked)
News
36714 readers
1999 users here now
Welcome to the News community!
Rules:
1. Be civil
Attack the argument, not the person. No racism/sexism/bigotry. Good faith argumentation only. This includes accusing another user of being a bot or paid actor. Trolling is uncivil and is grounds for removal and/or a community ban. Do not respond to rule-breaking content; report it and move on.
2. All posts should contain a source (url) that is as reliable and unbiased as possible and must only contain one link.
Obvious biased sources will be removed at the mods’ discretion. Supporting links can be added in comments or posted separately but not to the post body. Sources may be checked for reliability using Wikipedia, MBFC, AdFontes, GroundNews, etc.
3. No bots, spam or self-promotion.
Only approved bots, which follow the guidelines for bots set by the instance, are allowed.
4. Post titles should be the same as the article used as source. Clickbait titles may be removed.
Posts which titles don’t match the source may be removed. If the site changed their headline, we may ask you to update the post title. Clickbait titles use hyperbolic language and do not accurately describe the article content. When necessary, post titles may be edited, clearly marked with [brackets], but may never be used to editorialize or comment on the content.
5. Only recent news is allowed.
Posts must be news from the most recent 30 days.
6. All posts must be news articles.
No opinion pieces, Listicles, editorials, videos, blogs, press releases, or celebrity gossip will be allowed. All posts will be judged on a case-by-case basis. Mods may use discretion to pre-approve videos or press releases from highly credible sources that provide unique, newsworthy content not available or possible in another format.
7. No duplicate posts.
If an article has already been posted, it will be removed. Different articles reporting on the same subject are permitted. If the post that matches your post is very old, we refer you to rule 5.
8. Misinformation is prohibited.
Misinformation / propaganda is strictly prohibited. Any comment or post containing or linking to misinformation will be removed. If you feel that your post has been removed in error, credible sources must be provided.
9. No link shorteners or news aggregators.
All posts must link to original article sources. You may include archival links in the post description. News aggregators such as Yahoo, Google, Hacker News, etc. should be avoided in favor of the original source link. Newswire services such as AP, Reuters, or AFP, are frequently republished and may be shared from other credible sources.
10. Don't copy entire article in your post body
For copyright reasons, you are not allowed to copy an entire article into your post body. This is an instance wide rule, that is strictly enforced in this community.
founded 2 years ago
MODERATORS
Good thing I always ignore notepad++ updates. I mean, good on the devs for active development, but having a user-intervention-required update option every time I launch? Feels clunky.
You would prefer it automatically pull down and install malware?
I think they want them to reduce the release frequency.
Software should have version notification settings like, All, Security Only, Major Release, etc.
While I enjoy staying current, I don’t need the 2.1.3.2.1.000000023 release where someone fixes a minor bug in a niche feature that I have never used to begin with.
I'd love that. Some things I'm willing to be on beta release. Some things I just want to be invisible and silent unless there's a security problem.
Security updates are critical but otherwise, it seems like every time you "update" it breaks something I finally got working.
I mean, isn't that what Windows does anyway?
I'd obviously prefer Notepad++ didn't auto-install malware. Steam and Discord force auto-updates on every launch and do so without user intervention. I haven't knowingly been burned by either yet, but they're bigger players with more resources than Notepad++.
From their blog post, it seems the software itself and its code was unaffected, but the attack was only on the website?
Sort of. The program uses a specific part of the website for its auto update. And it also didn’t do any kinds of TLS (https) validation (which would prevent changing the destination). They also signed their installers (which would throw an error if the file had been modified) but the auto update didn’t check for a valid signature. So basically the two big things that a browser would do when you visit the site to download the installer, the auto updater just… Wasn’t doing.
So people who visited the site to manually download the installer were fine. They would have been alerted if the TLS cert was invalid or if the installer wasn’t properly signed. But if you used the auto updater, you wouldn’t get any of those errors and it would happily install the malware.
Anyone know if this affected updates through winget?
Last I checked the source of the winget package was github, which is the same on the official website. So I would imagine that updating via Winget is just as vulnerable. The details are super vague.
Edit: Somebody else commented that it was only auto-update that was compromised, and winget would be considered a manual update because it download from their github. So I think winget may be safe.
Dont quote me on that though, the information is still super vague and I am going off of somebody else's comment.
Traffic from certain targeted users was selectively redirected to attacker-controlled malicious update manifests.
I don't want to sound dismissive, but at the same time, if you're wondering, "Does this affect me and my computer?" the answer is almost certainly "no." It's scary anyway.
I would have guessed NPP had an option to disable check-for-updates every time it starts, but I couldn't find one.
Yeah it does. It's in Settings > Preferences > Misc. There's a dropdown to disable automatic updates.
Thanks, yes, I've got "Auto-updater" set to "disable," but NPP still checks in with the mothership when it starts, and notifies the user when updates are available.
There should be a way to disable that. I swear I've disabled it before, but I don't run Windows anymore, so I can't check it.
Fuck.
Anyone have an open source alternate that has commensurate features as N++
Getting increasingly paranoid about the software I allow on my devices and now that I have a self-hosted LLM, I can feed it the source code and cross-reference it on 5Gb of CVE databases I've trained it on to ensure sanitary code.
Just to be clear, N++ wasn't compromised, the shared web host running the auto update infrastructure was. They responsibly disclosed it and shared safety steps. I don't know if it is time to bail on them yet.
Sounds like manual updates were fine?
Yes, that's the current consensus. Only the auto-update infrastructure was compromised, and it was a shared hosting compromise.
Some options are atom, brackets/phoenix, lime text. I went with gVim for now.
Atom's final release was in 2022.
I just found out it was acquired and buried to promote VS Code. That's awful.
Kate.