Skip to content

[Package Issue]: Notepad++.Notepad++ versions older than 8.8.9 are vulnerable #335930

New issue
New issue
Open
Open
[Package Issue]: Notepad++.Notepad++ versions older than 8.8.9 are vulnerable#335930
Labels
Issue-BugIt either shouldn't be doing this or needs an investigation.Needs-TriageThis work item needs to be triaged by a member of the core team.
@R-Adrian

Description

@R-Adrian
R-Adrian
opened on Feb 2, 2026

Please confirm these before moving forward

  • I have searched for my issue and not found a work-in-progress/duplicate/resolved issue.
  • I have not been informed if the issue is resolved in a preview version of the winget client.

Category of the issue

Other

Brief description of your issue

Notepad++ Hijacked by State-Sponsored Hackers
https://notepad-plus-plus.org/news/hijacked-incident-info-update/

is it possible to modify the WinGet manifests of older versions of Notepad++ to remove the download URLs so they can no longer be installed via WinGet?

... or just delete the old manifests completely from the WinGet repository?

Steps to reproduce

supply chain problem - the built-in updater does not validate digital signatures on executable files it has downloaded and some of them even use only http urls, not https.

Actual behavior

OUCH

Expected behavior

  • facepalm *

Environment

environment not relevant, this is a supply chain problem.

Screenshots and Logs

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Issue-BugIt either shouldn't be doing this or needs an investigation.Needs-TriageThis work item needs to be triaged by a member of the core team.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions