Checking for updates and pulling in plug-ins. Both are valid.

thegrim000 · 2026-02-03T03:42:47 1770090167

As for updates - my OS has a built-in package management system, which is responsible for installing and updating packages. Why should notepad++ bypass that and do its own independent update process?

maronato · 2026-02-03T14:43:00 1770129780

Because other OSs do not and the notepad++ team wants all users to have a similar experience.

If you don’t need auto updates, just disable them.

More importantly, notepad++ being able to update itself is not the exploit here. Your OS’ package manager would download the same compromised binary as notepad++’s built in updater.

Saris · 2026-02-10T17:02:44 1770742964

What OS doesn't have a package manager now? Windows, Linux, and MacOS all have their own systems.

On windows, the package manager downloads the release of notepad++ directly from github, so it would not have been compromised. The hijack was done on the notepad++ website at the webhost level as I understand it, and the built in updater pulled from there.

Bender · 2026-02-02T18:14:35 1770056075

A browser can download updates and plugins to be installed locally. I too do not want all my apps making internet connections. Sandboxes / namespaces can help a little.

Saris · 2026-02-02T19:52:09 1770061929

I think these days updates through the OS package manager is a better option, windows has had winget for 5+ years now, and obviously linux and macos both have their own established systems.

MisterTea · 2026-02-02T18:50:51 1770058251

It's because of issues like these that I do not agree with your statement of validity. It's also cheaper code wise to not have these contraptions.

hulitu · 2026-02-03T10:57:03 1770116223

> Checking for updates

Why ? CADT ?