This notice only applies to individuals who use Notepad++ and have not yet updated.
The MSU community should be aware of a recently disclosed global security incident involving Notepad++, a text editing application commonly used for programming and document editing.
What happened
A third-party hosting provider for the Notepad++ website experienced a compromise between June and December 2, 2025. During that time, attackers were able to redirect update requests from certain users to malicious servers that downloaded malware.
Importantly, this was not a vulnerability in MSU systems or Notepad++ itself. This issue occurred at the external hosting provider responsible for serving update files. While the incident has been remediated, it is important that you manually update Notepad++ on every device where it is installed.
Why this matters to MSU
Some members of our community use Notepad++ on university owned or personal devices. If those installations attempted to auto update during the affected period, there is a possibility—though low probability—of receiving a malicious update.
What you need to do
If you use Notepad++, please read the following to ensure your system is protected:
- Manually update Notepad++ to the latest secure version (v8.9.1 or newer). This release includes enhanced certificate and signature verification that prevents the vulnerability. Download the trusted official installer directly from: https://notepad-plus-plus.org/downloads/
- If you use Notepad++ on a university owned workstation, run MSU’s standard endpoint security scans after updating.
- If you maintain scripts, plugins, or workflows that rely on older Notepad++ versions, please confirm they remain compatible with current releases and update accordingly.
Where to get help
If you have questions, please submit a request for help at ithelp.msu.edu or contact the MSU IT Service Desk at (517) 432-6200.
Thank you for helping us keep our campus secure
