The popular text editor Notepad++ had their infrastructure compromised from about June 2025 to December 2025, allowing the attackers to deliver malicious updates to unsuspecting users.
If the app’s updater was able to be exploited through a compromise in server/network infrastructure, then the app was vulnerable.
That’s a vulnerability in the app.
It’s honestly quite odd that they are trying to spin it as though there wasn’t a vulnerability in their app. I guess you could say the updater isn’t really “the app” but if it has the same developers, is always bundled as part of the app itself (even if it can be disabled), and is only used for this app specifically, that seems like a distinction without a difference.
I was going off what the Rapid7 analysis said:
While reporting references both plugin replacement and updater-related mechanisms, no definitive artifacts were identified to confirm exploitation of either.
And the official statement from Notepad++:
The exact technical mechanism remains under investigation, though the compromise occured at the hosting provider level rather than through vulnerabilities in Notepad++ code itself.
Yeah I was quoting your post but I recognize you’re just reporting what they said. The OP here is a solid report on the situation, I just don’t like the way the developers themselves have responded