TL;DR
A fraudulent "Notepad++ for Mac" release has been circulating online, prompting the creator of the original Notepad++ to issue a public disavowal. The developer made clear that no official macOS version has ever been released, and users who downloaded the fake software may have compromised their systems. The incident highlights the persistent danger of platform-impersonation malware and the need for users to verify software sources.
What Happened
On Monday, May 4, 2026, Ars Technica reported that a fraudulent application claiming to be "Notepad++ for Mac" had been distributed online, prompting Don Ho, the creator of the original Notepad++ text editor, to issue a forceful public disavowal. Ho stated unequivocally: "To be clear: Notepad++ has never released a macOS version." The fake release was discovered circulating on third-party download sites and potentially through social media channels, targeting macOS users who have long requested a native port of the popular Windows-based text editor.
Key Facts
- Don Ho, the sole developer of Notepad++, explicitly stated the software "has never released a macOS version" as of May 4, 2026.
- The fraudulent "Notepad++ for Mac" was found on third-party download sites and possibly through social media channels, not on the official Notepad++ website or GitHub repository.
- Notepad++ is a free, open-source text editor for Windows that has been actively developed since 2003 and has over 30 million downloads.
- The fake macOS version likely contains malware or adware, posing a security risk to users who install it, though specific payload details have not been publicly confirmed.
- Ars Technica broke the story on May 4, 2026, citing Ho's public statement and warning readers about the scam.
- This incident follows a broader trend of cross-platform impersonation attacks, where malicious actors exploit demand for popular Windows-only software on macOS.
- The official Notepad++ website (notepad-plus-plus.org) and its GitHub repository remain the only trusted sources for the genuine software.
Breaking It Down
The core of this story is not merely a case of software piracy but a deliberate social engineering attack that exploits a known gap in the software ecosystem. Notepad++ has been a Windows-exclusive application for over two decades, and its popularity—especially among developers, sysadmins, and writers—has created persistent demand for a macOS version. This demand is precisely what the attackers weaponized.
The fake "Notepad++ for Mac" represents a classic brand-jacking attack: leveraging trust in a well-known open-source project to distribute malicious software to an audience that is both technically savvy and likely to bypass security warnings.
The choice of Notepad++ is strategic. Its user base overlaps heavily with macOS power users who work in cross-platform environments—web developers, data scientists, and IT professionals. These users are accustomed to installing software from unofficial sources, especially for niche tools. By impersonating a widely trusted application, the attackers increase the likelihood that victims will disable Gatekeeper or ignore unsigned-app warnings. Furthermore, the absence of an official macOS version means there is no legitimate binary to compare against, making detection harder for casual users.
This incident also underscores a structural weakness in the open-source software distribution model. While Notepad++ is open-source, its codebase is written in C++ and deeply tied to the Windows API (specifically Scintilla and Win32). Porting it to macOS would require a complete rewrite of the UI layer—a massive undertaking that Don Ho has never committed to. The fake release exploits this gap by presenting a plausible-looking macOS app that may or may not function as a text editor, but whose primary purpose is to deliver a payload. Without official Apple notarization or a verified developer signature, the fake app should trigger macOS security warnings, but many users ignore these.
What Comes Next
The immediate aftermath will involve efforts to takedown the fraudulent download links and warn users. However, the broader implications will unfold over weeks and months.
- Security researchers will analyze the fake app: Expect reverse-engineering reports within days that detail the malware's capabilities—whether it steals credentials, installs ransomware, or functions as a backdoor. This analysis will inform future detection signatures.
- Apple may revoke any associated developer certificates: If the fake app was signed with a stolen or fraudulent Apple Developer ID, Apple will revoke it and potentially blacklist the account. This could prevent further distribution using the same certificate.
- Don Ho may face renewed pressure to consider a macOS port: While he has consistently declined, this incident could spark community debate about whether an official macOS version would reduce such scams. However, Ho's public statement suggests no change in position.
- Third-party download sites will face scrutiny: Sites like SourceForge, MacUpdate, and others that host unsigned or unverified apps may come under pressure to implement stricter vetting processes for "ported" software.
The Bigger Picture
This story connects to two broader trends: cross-platform impersonation malware and the open-source security dilemma. First, cross-platform impersonation is a growing attack vector. As macOS gains market share among developers and enterprise users, attackers increasingly target the platform with fake versions of Windows-only tools like Notepad++, 7-Zip, or IrfanView. These attacks work because macOS users have historically felt safer than Windows users and may be less vigilant about verifying software sources.
Second, the incident highlights the open-source security dilemma: popular open-source projects maintained by small teams or single developers are inherently vulnerable to impersonation. Don Ho, as a solo developer, cannot police every third-party site or social media post. Unlike major corporations with dedicated security teams, open-source maintainers rely on community vigilance and platform takedown processes that are often slow. This asymmetry between the effort required to create a convincing fake and the effort required to stop it is a structural weakness in the open-source ecosystem.
Key Takeaways
- [Official Disavowal]: Notepad++ creator Don Ho has explicitly stated no macOS version has ever been released; any such download is fraudulent.
- [Security Risk]: The fake "Notepad++ for Mac" likely contains malware; users who downloaded it should immediately scan their systems and change passwords.
- [Verification Protocol]: Only download Notepad++ from the official website (notepad-plus-plus.org) or its GitHub repository; never trust third-party sites offering "ported" versions of Windows-only software.
- [Attack Vector]: This is a brand-jacking social engineering attack exploiting long-standing demand for a macOS version of a popular Windows tool.
