Security Advisory: Notepad++ Third-Party Software Risk - Update to Version 8.9.1
ISI is sharing this notice to inform customers of a recently disclosed third-party software risk involving Notepad++.
The Notepad++ vendor confirmed that a portion of its update distribution infrastructure was temporarily compromised. During the affected period, some systems that downloaded or updated Notepad++ may have received software that did not originate from a trusted source.
Public reporting indicates this activity was selective rather than widespread. Even so, this represents a software supply chain risk, and ISI is addressing it proactively to reduce potential exposure and maintain system integrity.
The vendor has since completed remediation and released Notepad++ version 8.9.1, which is confirmed to be a trusted and clean release. ISI is standardizing on this version to ensure a consistent and defensible security baseline across supported environments.
Why This Update Is Required
Third-party software update mechanisms are a known attack vector. When update integrity cannot be fully guaranteed, even limited exposure creates unnecessary risk.
Standardizing on a verified version of Notepad++ helps:
- Reduce exposure to unauthorized or modified software
- Ensure integrity of installed application binaries
- Support consistent endpoint validation and monitoring
- Maintain a defensible security baseline aligned with security best practices
What Customers in ISI-Managed Environments Should Expect
For customers operating in environments managed by ISI, remediation activities are being handled through coordinated security and IT efforts.
This is a preventive measure. No customer action is required unless specifically directed by ISI.
Current actions include:
- Deployment of Notepad++ version 8.9.1 to standardize installations
- Validation of installed binaries to confirm endpoints are running trusted versions
- Ongoing monitoring for abnormal behavior related to Notepad++ execution or updates
Customers may notice brief update activity or short service interruptions while the update completes.
Guidance:
- Do not manually download or update Notepad++ outside of ISI-managed tooling
- Continue normal operations unless contacted by ISI
- Direct any questions or concerns through standard ISI support channels
Guidance for Customer-Managed Environments
For customers who manage their own IT environments, this notice is provided for awareness and planning.
Why This Matters
The Notepad++ vendor disclosed a temporary compromise of its update distribution infrastructure. Systems that updated during the affected period from untrusted sources may have been exposed to unauthorized or modified software.
The vendor has remediated the issue and released version 8.9.1 as a trusted update.
Recommended Actions
Customers should review their environments and, as appropriate:
- Confirm installed Notepad++ versions and update to 8.9.1 from a trusted source
- Validate application binaries using digital signatures or known-good hashes where possible
- Review endpoints that may have updated during the affected period
- Review endpoint telemetry and security tooling for signs of unauthorized activity
- Review recent identity sign-ins and session activity for suspicious behavior
- Reset credentials if exposure is suspected
If an endpoint cannot be confidently validated, customers should treat the situation as a potential security incident. This may include isolating the device, investigating for persistence or unauthorized activity, and reimaging from a known-clean baseline if needed.
Questions or Support
Customers with questions about this notice or their environment are encouraged to contact ISI through standard support channels:
Email: support@dodsecurity.com
Phone: 202-792-3042
Stay safe and stay vigilant.
— ISI Cyber Security Team
