Bad week to be a text editor.
Notepad++: supply chain compromise
Notepad++ confirmed that state-sponsored attackers hijacked their update service for six months last year. The attackers compromised the hosting provider and selectively pushed trojanised installers to targets in telecoms and finance. The activity has been attributed to Chinese APT groups. 400GB of logs were analysed, and no indicators of compromise were recovered.
If you're running Notepad++, update to v8.9.1 manually. Don't trust the cached updater.
Windows Notepad: command injection
Then February's Patch Tuesday dropped CVE-2026-20841 — a CVSS 8.8 command injection in Windows Notepad. Microsoft added Markdown rendering and apparently forgot to check whether it should be allowed to launch arbitrary protocol handlers and execute remote files.
Open a .md file. Click a link. Game over.
What to do
The immediate actions are straightforward: update Notepad++ to v8.9.1 manually, apply February Patch Tuesday for Windows Notepad, and think about what's registered to open .md files in your environment.
The broader point is that two different editors, with two completely different attack vectors, landed in the same week. The tools you'd never bother risk-assessing are the ones catching people out. If it runs on your endpoints and it can open files from the network, it's part of your attack surface — even if it's "just a text editor."
← All filings