ITS IA Advisory: Update Notepad++ on Windows systems for recently-exploited vulnerability

Thursday, February 5, 2026

This message is intended for U-M IT staff who are responsible for university workstations or servers running Notepad++, and for other users with Notepad++ installed on their computers.

Summary

Update Notepad++ on all Windows systems for a vulnerability exploited by state-sponsored hackers to gain access to targeted systems.

Threats

This vulnerability has been exploited in the wild in targeted attacks primarily focused on organizations in Southeast Asia and Central America in government and the telecommunications, media, aviation, critical infrastructure, and financial services industries.

Affected Versions

All versions before v8.9.1

Action Items

Update instances of Notepad++ now to v8.9.1 or later. Apply updates to 8.9.2 when they become available.

Technical Details

A compromise of an update-hosting provider allowed suspected state-sponsored hackers to exploit a vulnerability in the Notepad++ update feature. Even after remediation of the hosting provider, threat actors were able to redirect the update traffic on targeted systems, exploit a verification flaw in Notepad++, and deliver sophisticated malware to those systems in place of the expected updates. This malware provides the threat actors with "backdoor" access to the compromised systems.

How We Protect U-M

ITS Information Assurance is checking for signs of compromise on U-M systems by using tools such as CrowdStrike Falcon and U-M Net Border Security.

ITS provides CrowdStrike Falcon to units, which should be installed on all UM-owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers).

Information for Users

MiWorkspace machines will be updated to current versions of Notepad++, with a new version released to MiWorkspace machines beginning Thursday, Feb. 5. No user action is required for this update. For assistance with university-owned devices not managed by MiWorkspace, contact your unit IT department.

If you have Notepad++ installed on your personal devices, you should update immediately by downloading version 8.9.1 and running the installer manually instead of the Notepad++ update feature in the program.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.

References

Notepad++ Hijacked by State-Sponsored Hackers (Notepad-plus-plus.org 2-2-2026)
Notepad++ users take note: It’s time to check if you’re hacked (Ars Technica 2-2-2026)
Notepad++ update feature hijacked by Chinese state hackers for months (Bleeping Computer 2-2-2026)