I guess my habit of running a firewall and not allowing programs to access the internet unless they actually need it is helpful for stuff like this.
Absolutely no reason a text editor needs internet access.
I only update stuff through winget, which fetches the installer from github in a lot of cases, and changing a package requires a PR to the winget repo AFAIK. Not foolproof of course though.
As for updates - my OS has a built-in package management system, which is responsible for installing and updating packages. Why should notepad++ bypass that and do its own independent update process?
A browser can download updates and plugins to be installed locally. I too do not want all my apps making internet connections. Sandboxes / namespaces can help a little.
I think these days updates through the OS package manager is a better option, windows has had winget for 5+ years now, and obviously linux and macos both have their own established systems.
LittleSnitch is great for MacOS; it is easily configured to alert you every time your machine makes ip/domain connections, which can then be accepted, denied, or rules made
> LittleSnitch is great for MacOS; it is easily configured to alert you every time your machine makes ip/domain connections, which can then be accepted, denied, or rules made
For an open-source alternative, consider checking out - Lulu [0]. It's not as feature rich nor has impressive UI like the former but gets the main work done.
Binisoft WFC for Windows is a free outbound firewall. It was acquired by MalwareBytes awhile back, but they have not interfered with development so far.
It has some areas where improvement is needed, but the fundamentals work and the user interface design is decent.
I am surprised it's not more popular for Windows users. All of the alternatives I've tried have critical issues which made me dismiss them as unserious.
Yeah I've been using Fort on windows, it's easy to use and not closed source and full of bloat like the commonly suggested windows firewalls from various security companies.
It shouldn't! Fort just flashes the tray icon if there's a new connection request and you can click it whenever you want, instead of a popup in your face in the middle of something.
It doesn't matter really because nowadays all of them are just a front-ends to Windows Firewall.
Also legitimate software (i.e. firewall/AV) cannot use "oldschool" tricks like system service descriptor table hooks to obtain godlike privileges these days, while malware sometimes can do this by exploiting vulnerabilities, so in such cases it may be an unequal fight.
It's the best one I found after trying a few, because it's pretty easy to use, and lets me disable notification popups which is a part that always frustrates me about other options.
So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?
Anyway, I hope the author can be a bit more specific about what actually has happened to those unlucky enough to have received these malicious updates. And perhaps a tool to e.g. do a checksum of all Notepad++ files, and compare them to the ones of a verified clean install of the user's installed version, would be a start? Though I would assume these malicious updates would be clever enough to rather have dropped and executed additional files, rather than doing something with the Notepad++ binaries themselves.
And I agree with another comment here. With all those spelling mistakes that notification kind of reads like it could have been written by a state-sponsored actor. Not to be (too) paranoid here, but can we be sure that this is the actual author, and that the new version isn't the malicious one?
This reminds me of college, when some of my professors were still sorting out their curriculum and would give us homework assignments with bugs in it.
I complained many times that they were enabling my innate procrastination by proving over and over again that starting the homework early meant you would get screwed. Every time I'd wait until the people in the forum started sounding optimistic before even looking at the problem statement.
I still think I'd like to have a web of trust system where I let my friends try out software updates first before I do, and my relatives let me try them out before they do.
Ah, I remember those days. One that wasn't an error exactly was an assignment that had a word limit of 2000 words or something. I'd written maybe 3000 words and spent quite some time cutting it down, getting it to just under the limit. Then someone else who also wrote too many words asked the professor if that was okay and they sent out an update to everyone saying it's fine to ignore the word limit.
I work in a lab as an analyst (bioinformatician), we are register and pay for quality assurance programs that contain an embarrassing about of technical errors.
> So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?
Is this surprising? My model is that keeping with the new versions is generally more dangerous than sticking with an old version, unless that old version has specific known and exploitable vulnerabilities.
Yes, it is very much atypical. Most hacks happen because admins still haven’t applied a 2 years old patch. I hate updates, but it‘s statistically safer that running an old software version. Try exposing a windows XP to the internet and watch how long it takes before it‘s hacked.
Steve from Security Now podcast has been specifically using Notepad++ as an example of not being able to leave good enough alone for years now. Can't wait to hear him claim his told you so next week.
>I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?
Notepad++ site says The incident began from June 2025.
On their downloads page, 8.8.2 was the first update in June 2025 (the previous update 8.8.1 was released 2025-05-05)
So, if your installed version is 8.8.1 or lower, then you should be safe. Assuming that they're right about when the incident began.
edit: Notepad++ has published, on Github, SHA256 hashes of all the binaries for all download versions, which should let users check if they were targeted, if they still have the downloaded file. 8.8.1 is here, for example - https://github.com/notepad-plus-plus/notepad-plus-plus/relea...
Just checked my 8.7.9 that I installed in April 2025 and never updated. The hash seems to be identical to the version I installed around that time. Seems like it was a good choice to always skip the Update Dialog when using Notepad++ lol.
"So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?"
This is true for a large number of software "security" issues
A software version earlier in date/time is not necessarily inferior (or superior) to a version later in date/time
As it is "updated" or rewritten,, software can become worse instead of better, or vice versa, for a vaariety of reasons
Checking software's release date, or enabling/allowing "automatic updates" is not a substitute for reading source code and evaluating software on the merits
> And perhaps a tool to e.g. do a checksum of all Notepad++ files, and compare them to the ones of a verified clean install of the user's installed version, would be a start?
Did I understand the attack wrongly? The software could have a 100% correct checksum, because the attack happened in a remote machine that deals with call home events from Notepad++, I guess one of those "Telemetry" add-ons. The attackers did a MITM to Notepad++ traffic.
The remote machine that was compromised was responsible for Notepad++ updates, so the concern is that it could cause a compromised version of the software to be installed. But if it could do that, it could probably cause anything to be installed anywhere on the user's machine, so inspecting the installed N++ binary probably wouldn't be too useful.
I disable auto update for everything that does not have direct contact with the Internet otherwise (mail app, browser, OS, router,...).
Probability for some random app being exploited because updates were skipped is insignificant compared to the probability of a malicious update.
Updates are a direct connection from the Internet to your computer. You want to minimize that.
Yes, of course you're safer. If your system is working as desired, updates can only break it. This is just Engineering 101, but for whatever reason, all logic is abandoned on the topic of security updates.
It looks like using Chocolatey [1] saved me from this attack vector because maintainers hardcode SHA256 checksums (and choco doesn't use WinGuP at all).
I can't help but feel there must some better venue for such messaging.
When I see politics in software updates or documentation, nothing happens because I'm not looking to use the software for political activism. Maybe I tell my adblocker to remove the messaging, and carry on with my task.
I can engage with politics in a social context, when political messaging isn't interrupting something else I'm doing; that's a better place for activism, IMHO.
I almost always see activists using the argument that if I don't like the messaging then I'm part of the problem. Somehow I doubt that, given I don't mind messaging at all, where it's appropriate.
My opinion is that open source documentation is like polite dinner conversation: It’s not the proper place to discuss politics.
If an author wishes to use their open source project as a platform to discuss politics, that’s the author’s prerogative. But then, as perhaps in this instance, it could be to the detriment of the project itself.
> My opinion is that open source documentation is like polite dinner conversation: It’s not the proper place to discuss politics.
I know this is a common turn of phrase, but I can not help thinking that if the political conversation is impolite it is because some in the conversation is being impolite not due to the topic itself.
This is a very head in the sand approach to life that only those who are entitled may partake in. Reality is that most cannot live in ignorance of what is happening around them because it is also happening to them. Obviously not everything needs to remind you of stressful reality, but we also shouldn't avoid reality just because we are privileged enough to do so.
Ah, so this has to do with mainland China going after those who think the Taiwanese do not belong to mainland China. Well, I see them as independent folks. Mainland China needs to stop thinking it can occupy land willy-nilly; unfortunately with USA, Russia and China thinking they can bully other countries that lack nukes, I think these smaller countries absolutely need nukes for defensive purpose.
It is also annoying that all these three countries think they can bully other countries too. That is basically them saying they can kill other people in other countries at all times no matter the real "reason" (just make up a fake reason, such as Russia with regard to Ukraine) - annoying to no ends.
Having said that, and I just pointed out I disagree with mainland China bullying the Taiwanese, I think it would actually be better to have software itself be completely apolitical. I never understood why people felt a need to tie political goals into software. That is a valid statement even if I happen to agree with the political goals here.
In 2026 hoping that software could be (more) apolitical is a very brave stance. I look at the software world and I can see core political statements in almost every popular software. From privacy invasion, supporting shady industries (e.g., marketing) even at the expense of people (a reverse-welfare, in a sense), environmental destruction (e.g., complete lack of care for resource usage) and many more.
If anything, we need much more politics in software, ideally exercised by those who write that software instead of "apolitical" software writers who end up executing the political software of those who pay them.
If you meant to scope your statement only to FOSS, then this still applies (in fact, FOSS is inherently political), plus I suppose some people who invest their time to write software want to also use the same effort for political activism and there is nothing wrong with that. This can be expressing their political views via that software (e.g., vim and the support to children in Uganda) or can be using a license that only allows co-ops to run their software, or many other ways.
The idea that software even could be apolitical stems from the idea that technology can be neutral, which again, in 2026 is really a tough idea to support.
i always worry about tools like this, maintained by small teams, that are so universal that even if only a small fraction of installs are somehow co-opted by malicious actors, you have a wide open attack surface on most tech companies.
e.g. iTerm, Cyberduck, editors of all shades, various VSCode extensions, etc.
I don’t get it, why don’t you all—absolutely all of you reading—use Little Snitch? [1]
It really doesn’t compute in my head why would any macOS user not use a network firewall like this, or similar, to block unwanted outgoing HTTP(s) requests. You can easily inspect the packet with tools like Wireshark or Burp Suite Professional (or Community) edition, or any other proxy tool, of which there are many in the macOS ecosystem.
And this is not unique to macOS, this is all possible in Windows, Linux and any other OS.
It’s a false sense of security, more or less. If an application wants to talk to a C2 they don’t have to make a connection at all, just proxy a connection through something already allowed, or tunnel through DNS. Those juicy cryptocurrency keys? Pop Safari with them in the URL and they’re sent to the malicious actor instantly. If you’re owned Little Snitch does nothing at all for you except give you the impression that you’re not.
It wouldn't protect against this attack though. The Notepad++ update servers were hijacked. Presumably you would allow Notepad++ updates through Little Snitch so you would be equally as vulnerable.
I used to love Zone Alarm's ability to notify me on an application's first attempt to connect to the internet, and allow me to approve or deny it. I really wish there was still such an interface today.
Having said that, I absolutely despised the implementation that stole keyboard focus; if it popped up when I was typing it frequently disappeared before I head a chance to read it and I had to go into settings to try and find what had changed. Nothing should ever steal keyboard focus unless it's urgent, and then it should website that you can't accidentally manipulate it with a keyboard (see UAC prompt where it opens in the background if the calling program is in the background, and where once you activate it, you have to hold alt+y/n or tab to a button before it accepts the input; just hitting the y/n key alone won't do anything).
because i dont want to deal with constant whitelist management and i simply don't install applications i don't trust. if there's anything really absolutely essential or damaging if it were to leak i would not put it on a internet connected device to begin with
Similarly I worry about how these apps automatically update themselves. I know it can be done securely. I also doubt that these companies invest the engineering effort to do so.
It's not a matter of "immune" - larger organizations generally have more resources to allocate to things like this. That doesn't mean they get it right 100% of the time, but they are at least able to try, while small teams or volunteer projects often simply don't have the hours to spend on things like this.
> Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests.
I'd be curious to know if there was any pattern as to which users were targeted, but the post doesn't go into any further detail except to say it was likely a Chinese state-sponsored group.
It might have been explicitly targeted, but they did say that there were older versions of Notepad ++ with ""insufficient update verification controls" so it might have just been there was only one subset of users actually susceptible to this.
No, the additional update verification was added after this attack was discovered. All Notepad++ installations were vulnerable during the time of the hijacking campaign.
The TLDR is that until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which was available in the Github source code. The author enabled this by not following best practices.
The "good news" is that the attacks were very targeted and seemed to involve hands on keyboard attacks against folks in Asia.
Blaming the hosting company is kind of shady, as the author should own at least some level of the blame for this.
If the attackers did limit themselves to a small number of Asian machines they gave up an absolute goldmine. I would venture to say a lot of technical people use notepad++ at work in jobs that would be very lucrative for an attacker to exploit. I know I definitely had an 'oh shit' moment when I read this and thought about where I have notepad++ installed.
out of curiosity, why is a self signed cert bad for this case? Can't the updater check the validity of the cert just as well regardless? Or did the attackers get access to the signing key as well?
You’d be protected from this particular exploit if you used a package manager rather than the updater, though of course you’d still be vulnerable to the installer binary itself getting compromised.
Wonder how many packages in community package repos are compromised. Surely "Hubbleexplorer" can be trusted to provide arch users with a honest, clean version of npp.
This is where package managers shine. You never know if there are vulns in the update servers, and you don't know if they even bother with checksums. I never trust apps that self-update for exactly this reason. Turn that shit off and do
choco update notepadplusplus
or
winget upgrade Notepad++.Notepad++
Of course, this does nothing for bugs in the code.
Vindicated once again for turning off any update checks the moment I install any new piece of software.
Even if this sort of (obviously rare) attack is not a concern, it baffles me how few otherwise-intelligent people fail to see the way these updaters provide the network (which itself is always listening, see Room 641A and friends) with a fingerprint of your specific computer and a way to track its physical location based on the set of software you have installed, all of which want to check for updates every goddamn day.
It is baffling to me, as well. You know how you get a remote-code-execution vulnerability? You give a bunch of software permission to fetch code remotely and execute it.
If the people with access to Room 641A want you, you're toast unless you're ready to make some REALLY big digital lifestyle changes that most people would not be amenable to, because you would have to be extremely paranoid on multiple fronts all the time. That kind of heightened vigilance is exhausting and really not worth it.
Sorry for assuming you'd be able to extrapolate from one example. It could be at any level of the funnel from your local machine to the wider Internet. Closer to home: this sort of fingerprinting could defeat things like MAC randomization in a PSK-authed business/university setting if those IT departments had some reason to want to track you.
I once worked at a company where the Security team were very proud of this and all the other tricks they used to catch leakers by figuring out who was on campus, where, at what time, usually via fingerprinting personal devices carried alongside corporate devices.
I use a package manager that checks the hash of the downloaded installer against what's recorded in the package listing for that version. WinGet has been built in to Windows since one of the 2018-era releases of Windows 10: https://i.ibb.co/VYGXdc56/2026-02-01-20-46-28-Greenshot.png
>This is also why update signatures should be validated against a different server; it would require hackers to control bother servers to go undetected
No, it should be a hardcoded key held by the developer, preferably using a HSM, and maybe with some sort of notification capability in case the key was lost. Adding a second server adds marginal security. For instance if the developer's mail was hacked, an attacker would likely be able to reset passwords for both hosting providers.
Previous NS records were pointing at dns-parking.com, which is Hostinger. Although hard to be certain without more details whether a reseller or other supplier is involved.
Download the latest version and install that, instead of using the auto update feature of an old version that might not properly check signatures.
As for whether anything else has been compromised, it depends on whether you were targeted. And the payload might have been tailored to each target, so there's no way to know unless you have access to the exact binary. Unfortunately, binaries downloaded through the auto update feature tend not to linger in your Downloads folder.
"The security exper’s analysis indicates the attack ceased on November 10, 2025, while the hosting provider’s statement shows potential attacker access until December 2, 2025. Based on both assessment, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated."
> Based on both assessment, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated.
Disable auto-updates, just like you should with every piece of software on your machine. This was the result of letting other people silently replace your programs. Don't allow that.
Not notepad++!
(Opens WhatsApp)
OpenClawd express my discontent across all my channels and draft an email to send to IT tomorrow morning. Also turn off the lights off and go to bed.
(Somewhere in china, all the lights go out)
No, it's specifically the updates that were targetted. I'm unsure about the downloads but those too are presumably at risk.
> The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.
> With these changes and reinforcements, I believe the situation has been fully resolved. Fingers crossed.
I get that this is a difficult situation for a small developer, but ending with this line did not fill me with confidence that the problem is actually resolved and make me trust their software on my system.
That's the most honest assessment you can expect from any small-scale developer. What do you expect them to say or do? Their adversary is presumably a national intelligence agency of a superpower.
The odds may be better if you operate the way OpenSSH does: move slow, security first, architect everything to be very difficult to attack. But if you're building a text editor, it's not your mindset, and probably never will be.
> The odds may be better if you operate the way OpenSSH does: move slow, security first, architect everything to be very difficult to attack. But if you're building a text editor, it's not your mindset, and probably never will be.
I mean, if you look at the Notepad++ website this developer seems just as concerned at spamming political messaging all over everything as much as he is with writing the software he's distributing. It's pretty crazy he apparently didn't think to take more basic precautions given he is basically permatrolling Russia and China with his messaging. Big brain moment for him. And meanwhile, after reading that disclosure nonsense none of us even know what's going on - like, should we be formatting machines that were affecting during that timeframe? Was the attack targeted and specific only? Who the fuck knows!
I don't think "we" would have been impacted since this specifically targets the updates, but recently Microsoft pulled Notepad++ from the list of apps we can use on our production management laptops. Some people were annoyed and whining about this. That predated this announcement by a few weeks. Probably the right move by the security folks.
Notably Notepad++ was recently shipping unsigned/self-signed updates, apparently overlapping with the time of this incident, see releases 8.8.2-8.8.6: https://notepad-plus-plus.org/news/
The lack of signing and/or checking the signature when updating is the real issue here. But the write up blames the attack on the hosting server. That doesn't bode well for future security.
This time I unfortunately have to move on from Notepad++. Vibes have been negative for a while but out of inertia (and because there weren't obvious alternatives) I never pulled the trigger. Now it's time. The trust is gone.
Thanks NP++ for being free and useful for so many years.
Can anyone suggest a solid alternative on Windows? I'm fine with Linux and macOS but I have to keep a Windows machine around for some legacy, win only, software.
Maybe Sublime Text could be an option? At this point I'd rather pay for something lightweight, fast, and probably better.
I don't like tooling that increases my exposure to bad state actors (whatever state they're from).
For a while, I've been thinking that open source package portals will at some point take over making of binaries that get released. Dev teams will run their own CI with whatever automated test pipelines they think is appropriate. For a tests-pass situation and will pass the git hash to the portal system for release, which just runs compile and making the binary. Well, not all CI runs would result in a release, of course. Then the package portal's own software kicks in to calculate an independent since-last-release report that's attached alongside the maintainer release notes.
All such portals upgrade their hash/sig noting of binaries, and keep those in a history retaining merkle tree of sorts. Of nothing, else a git repo. Something like this https://github.com/hboutemy/mcmm-yaml/blob/master/aws/sdk/ko... but with SHA256s, and maybe not the entire world on one repo.
Long ago, Canonical did some shady stuff with the now-deprecated apt-key "net-update" signing validation for updating of GnuPG keys over the network, an exclusive Ubuntu "feature" Debian didn't even adopt that in theory allowed the same thing.
First I thought CVE-2012-3587 was incompetence... but then seeing CVE-2012-0954 after it, I couldn't help think something more was at bay as something connected to a nation state. It does not surprise me in the least to see nation state attackers exploiting N++. Because I've also on very sensitive enterprise PAM systems in F500/research/academia, and about 10% of the time it felt like I'd see Notepad++ on internet-connected systems used for security tooling because vanilla notepad is indeed garbage. It does not surprise me at all this has been used as an attack vector.
They were able to replace the downloaded executable with their own version. From the article:
> 2. Even though the bad actors have lost access to the server from the 2nd of September, 2025, they maintained the credentials of our internal services existing on that server until the 2nd of December, which could have allowed the malicious actors to redirect some of the traffic going to https://notepad-plus-plus.org/getDownloadUrl.php to their own servers and return the updates download URL with compromised updates.
That's sad. China should be more helpful with regards to open source.
Notepad++ is a great editor. I don't use it on Linux, because I have
an older editor I am very used to, but on Windows I like notepad++
a lot (though lately I have been using geany on Windows, mostly
for convenience - I think notepad++ is better but I sort of like
the github-based development of geany; either way notepad++ is
really excellent as well).
Many large companies allow employees to install software from the internet on their work laptops. How do they avoid being regularly hacked this way (presumably NPP is far from being the only one at risk, and presumably the money from theft of corporate secrets attracts skilled and motivated hackers).
The thought crossed my mind as well. Lots of typos, plus "old version compromised, use new version ASAP" could also be said to get people on a newly compromised version, right? Though it's probably just that the post author is stressed and rushed the post out. I do wonder if there's a way to verify the post was written by the real dev and that he still has control. Old known GPG sig?
Every shared hosting provider has this risk. Critical projects should be using dedicated or VPS hosting, preferably with encrypted filesystems too as even datacenter techs can fall victim to social engineering.
I'm pretty surprised that they got away with unsigned updates and shared hosting as long as they did. I wonder how many similar popular projects are out there on dodgy infrastructure.
So uhh... what exactly did the "state-sponsored actors" do?
They go on about how their server was compromised, and how the big bad Chinese were definitely behind it, and then claim the "situation has been fully resolved", but there is zero mention of any investigation into what was actually done by the attackers. Why? If I downloaded an installer during the time they were hacked, do I have malware now?
The utter lack of any such information feels bizarre.
Exactly... Were they exflitrating files open in notepad++ , or was notepad++ installing additional malware for system wide access? What was the end goal?
> Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers. The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.
It's also possible the update manifest contained an url that the updater blindly trusted, and by modifying that file you could change what got downloaded.
The whole approach of virus scanning is reactive and incomplete. This is because, except for some uncertain guesswork using "heuristics", it depends upon vendor analysis of submitted malware infection samples after it's already happened to determine specific malware file/process signatures. This doesn't and cannot catch all possible malware that has ever happened, especially if it's new, not widespread, or evaded analysis from ever being noticed. Thus, a fraction of malware will always slip and will always remain undetectable.
After a machine is compromised by malware, there's rarely-to-never a trustworthy way to ever fix it with 100% certainty. And especially worrisome is "repair" from the host itself which maybe infected with a rootkit that hides and repairs the malware. Thus, the only correct solution is to completely reimage/reinstall from trusted sources. Deviate from this path at one's own extreme cost/risk.
There also exist a tiny amount of even worse, specialized malware, usually deployed by state actors, that infect hardware in such a way that makes them difficult and sometimes uneconomical to repair.
PSA: Never run untrustworthy shit on any machine that matters. This also includes FOSS projects that don't have their shit together.
Most edr has a “this program is doing something bad” detector. But the number of folks running security on their build process is still not ubiquitous.
> This was the exact same technique that was used in 2021 by Audacity's update mechanism, which also redirected traffic to servers hosted in other Aeza Group ASNs and planted a dropper for later campaigns.
I can't find anything about this, can you link a source?
I vaguely remember this happening with somebody on an Audacity project, so jumping in! I believe this was on a GitHub issue for that project, but the project has since disabled issues for the repository since they moved source locations. It also definitely hit some press.
Someone tried to kill you?! People actually killed your friends? Not sure if schizophrenia or actual story ... I desperately need to hear more of this story.
If you find yourself 99.999% sure of almost anything it should be a bit of a red flag to you. If it's based on a hunch without any actual evidence, more so.
I've been thinking a lot lately about open source.
It seems to be a lot like the communism - sounds great on paper but we are yet to see a proper implementation.
Between GIT, Linux and SQLite there are a few projects that has been led by weirdos that have time, resources and conviction to drive these through time.
Unless you create some sort of a an auxiliary business and get an acquihire deal most things will fizzle out.
Years ago when I started working for BigCo I was amazed by their denial of FOSS. At one point in the project I pointed out a problem, which was heard and recognized, to which I followed up with a solution using an open source package. I thought I was clever - we needed an extra package in our system, but I was able to find a suitable open source solution that would not add to the overall cost of the project. My proposal was immediately pushed back.
Initially I thought it was due to responsibility issue - if we'd employ a FOSS solution we'd be responsible for the outcome. Having a 3rd party vendor the management would have the opportunity to shell themselves.
But that doesn't have to be the case. The FOSS project could easily fizzle out. And if we don't have enough resources to incorporate it and make it our own, we can potentially risk being left out to dry.
> Unless you create some sort of a an auxiliary business and get an acquihire deal most things will fizzle out.
This is acceptable. Why shouldn't most things started by people not willing to put in the work to keep them going not fizzle out? The important thing is that anyone who actually cares to can jump in and pick up right where the open source software fizzled out and get it going again. Anyone can learn from the code and use it for anything they want, even things that have nothing to do with the goals of the original project.
It's not as if there aren't countless examples of corporate vendors dying off and leaving their customers on the hook with nothing, or just changing the product drastically after the sale. At least in the open source case you have the option to fork the project and continue using it as you always have.
Well, the update in Notepad++ was the single annoying thing and I made sure I turned it off as the first thing after the install. It was terribly annoying, interrupting my workflow every often so I have no idea how others managed. Why should it decide when to upgrade anyway? It's a notepad! Why should I even bother to upgrade? Everything I need is already there! A piece of software like this one shouldn't be allowed to send out traffic by default anyway, it should be opt-in.
You should see the apps on MacOS. Almost every single app that is not installed from Appstore has that shitty update popup, it is driving me nuts.
I think Linux has the best solution for this - good package managers for bases system and Flatpak with Flathub repo for other apps. So you never get stupid popups, and update managers use signed packages and check those signatures before installation.
I'm extremely wary about any application pushing politics.
I subscribe to MacPaw, who makes excellent apps like Setapp, Gemini, and CleanMyMac, all of which I use.
At some point, CleanMyMac started putting the Ukranian flag on the app icon and flagging utilities by any Russian developer as untrustworthy (because they are russian), and recommended that I uninstall them.
I am not pro russia/anti-ukraine independence by any means, but CleanMyMac is one of those apps that require elevated system permissions. Seeing them engage in software maccarythism makes me very, very hesitant to provide them.
if you're going to give in and avoid applications because, like in this case they take a strong stance on Ukraine or Taiwan the hack has literally achieved its purpose. Either silence the author directly or destroy its userbase.
Fuck'em and just donate ten bucks to notepad++ , I'd rather my pc breaks then reward this crap
I think I made it clear that I use (and pay for) their applications. I also think I made a sufficiently nuanced comment that doesn't suggest that I've "given in" to anything.
I guess my habit of running a firewall and not allowing programs to access the internet unless they actually need it is helpful for stuff like this.
Absolutely no reason a text editor needs internet access.
I only update stuff through winget, which fetches the installer from github in a lot of cases, and changing a package requires a PR to the winget repo AFAIK. Not foolproof of course though.
Checking for updates and pulling in plug-ins. Both are valid.
As for updates - my OS has a built-in package management system, which is responsible for installing and updating packages. Why should notepad++ bypass that and do its own independent update process?
1 reply →
A browser can download updates and plugins to be installed locally. I too do not want all my apps making internet connections. Sandboxes / namespaces can help a little.
I think these days updates through the OS package manager is a better option, windows has had winget for 5+ years now, and obviously linux and macos both have their own established systems.
It's because of issues like these that I do not agree with your statement of validity. It's also cheaper code wise to not have these contraptions.
> Checking for updates
Why ? CADT ?
LittleSnitch is great for MacOS; it is easily configured to alert you every time your machine makes ip/domain connections, which can then be accepted, denied, or rules made
> LittleSnitch is great for MacOS; it is easily configured to alert you every time your machine makes ip/domain connections, which can then be accepted, denied, or rules made
For an open-source alternative, consider checking out - Lulu [0]. It's not as feature rich nor has impressive UI like the former but gets the main work done.
[0] https://github.com/objective-see/LuLu
4 replies →
Binisoft WFC for Windows is a free outbound firewall. It was acquired by MalwareBytes awhile back, but they have not interfered with development so far.
https://www.binisoft.org/wfc.php
It has some areas where improvement is needed, but the fundamentals work and the user interface design is decent.
I am surprised it's not more popular for Windows users. All of the alternatives I've tried have critical issues which made me dismiss them as unserious.
Yeah I've been using Fort on windows, it's easy to use and not closed source and full of bloat like the commonly suggested windows firewalls from various security companies.
Malwarebytes Windows Firewall Control may annoy me sometimes, but this is exactly why I run it.
It shouldn't! Fort just flashes the tray icon if there's a new connection request and you can click it whenever you want, instead of a popup in your face in the middle of something.
Which firewall software do you use? I should probably start using firewalls in my computers as well...
It doesn't matter really because nowadays all of them are just a front-ends to Windows Firewall.
Also legitimate software (i.e. firewall/AV) cannot use "oldschool" tricks like system service descriptor table hooks to obtain godlike privileges these days, while malware sometimes can do this by exploiting vulnerabilities, so in such cases it may be an unequal fight.
I've been using Fort: https://github.com/tnodir/fort
It's the best one I found after trying a few, because it's pretty easy to use, and lets me disable notification popups which is a part that always frustrates me about other options.
3 replies →
So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?
Anyway, I hope the author can be a bit more specific about what actually has happened to those unlucky enough to have received these malicious updates. And perhaps a tool to e.g. do a checksum of all Notepad++ files, and compare them to the ones of a verified clean install of the user's installed version, would be a start? Though I would assume these malicious updates would be clever enough to rather have dropped and executed additional files, rather than doing something with the Notepad++ binaries themselves.
And I agree with another comment here. With all those spelling mistakes that notification kind of reads like it could have been written by a state-sponsored actor. Not to be (too) paranoid here, but can we be sure that this is the actual author, and that the new version isn't the malicious one?
This reminds me of college, when some of my professors were still sorting out their curriculum and would give us homework assignments with bugs in it.
I complained many times that they were enabling my innate procrastination by proving over and over again that starting the homework early meant you would get screwed. Every time I'd wait until the people in the forum started sounding optimistic before even looking at the problem statement.
I still think I'd like to have a web of trust system where I let my friends try out software updates first before I do, and my relatives let me try them out before they do.
Ah, I remember those days. One that wasn't an error exactly was an assignment that had a word limit of 2000 words or something. I'd written maybe 3000 words and spent quite some time cutting it down, getting it to just under the limit. Then someone else who also wrote too many words asked the professor if that was okay and they sent out an update to everyone saying it's fine to ignore the word limit.
3 replies →
> let my friends try out software updates first before I do
And who do they let try the software before they do? And so on... Where does it ended?
2 replies →
They should have just gave out extra credit for finding bugs.
1 reply →
For windows updates r/sysadmin has people who run updates and post their experience on patch Tuesday.
1 reply →
I work in a lab as an analyst (bioinformatician), we are register and pay for quality assurance programs that contain an embarrassing about of technical errors.
4 replies →
> So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?
Is this surprising? My model is that keeping with the new versions is generally more dangerous than sticking with an old version, unless that old version has specific known and exploitable vulnerabilities.
Yes, it is very much atypical. Most hacks happen because admins still haven’t applied a 2 years old patch. I hate updates, but it‘s statistically safer that running an old software version. Try exposing a windows XP to the internet and watch how long it takes before it‘s hacked.
15 replies →
Steve from Security Now podcast has been specifically using Notepad++ as an example of not being able to leave good enough alone for years now. Can't wait to hear him claim his told you so next week.
Love notepad++ and will continue to use it.
>I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?
Notepad++ site says The incident began from June 2025.
On their downloads page, 8.8.2 was the first update in June 2025 (the previous update 8.8.1 was released 2025-05-05)
So, if your installed version is 8.8.1 or lower, then you should be safe. Assuming that they're right about when the incident began.
edit: Notepad++ has published, on Github, SHA256 hashes of all the binaries for all download versions, which should let users check if they were targeted, if they still have the downloaded file. 8.8.1 is here, for example - https://github.com/notepad-plus-plus/notepad-plus-plus/relea...
Just checked my 8.7.9 that I installed in April 2025 and never updated. The hash seems to be identical to the version I installed around that time. Seems like it was a good choice to always skip the Update Dialog when using Notepad++ lol.
Older download links doesn't seem to work!?
"So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?"
This is true for a large number of software "security" issues
A software version earlier in date/time is not necessarily inferior (or superior) to a version later in date/time
As it is "updated" or rewritten,, software can become worse instead of better, or vice versa, for a vaariety of reasons
Checking software's release date, or enabling/allowing "automatic updates" is not a substitute for reading source code and evaluating software on the merits
> And perhaps a tool to e.g. do a checksum of all Notepad++ files, and compare them to the ones of a verified clean install of the user's installed version, would be a start?
Did I understand the attack wrongly? The software could have a 100% correct checksum, because the attack happened in a remote machine that deals with call home events from Notepad++, I guess one of those "Telemetry" add-ons. The attackers did a MITM to Notepad++ traffic.
The remote machine that was compromised was responsible for Notepad++ updates, so the concern is that it could cause a compromised version of the software to be installed. But if it could do that, it could probably cause anything to be installed anywhere on the user's machine, so inspecting the installed N++ binary probably wouldn't be too useful.
1 reply →
I disable auto update for everything that does not have direct contact with the Internet otherwise (mail app, browser, OS, router,...). Probability for some random app being exploited because updates were skipped is insignificant compared to the probability of a malicious update.
Updates are a direct connection from the Internet to your computer. You want to minimize that.
Just do a manual update from time to time.
Yes, of course you're safer. If your system is working as desired, updates can only break it. This is just Engineering 101, but for whatever reason, all logic is abandoned on the topic of security updates.
If there’s anything I’ve learned from IBM, Red Hat, and CentOS, it’s that bleeding edge is actually what I’m supposed to want.
8.4.7 here. phew
8.5.7 here (built Sept 6, 2023)
Now I need to worry about this one. I've been anxious about vscode lately: apparently vscode extensions are a dumpster fire of compromises.
lol, im on 7.3.x for extra safety
It looks like using Chocolatey [1] saved me from this attack vector because maintainers hardcode SHA256 checksums (and choco doesn't use WinGuP at all).
[1]: https://chocolatey.org/
Solid idea
Probably related to this: https://notepad-plus-plus.org/news/v869-about-taiwan/
Yeah, Notepad++ is known for political messaging in their updates. Taiwan, Ukraine, etc.
I can't help but feel there must some better venue for such messaging.
When I see politics in software updates or documentation, nothing happens because I'm not looking to use the software for political activism. Maybe I tell my adblocker to remove the messaging, and carry on with my task.
I can engage with politics in a social context, when political messaging isn't interrupting something else I'm doing; that's a better place for activism, IMHO.
I almost always see activists using the argument that if I don't like the messaging then I'm part of the problem. Somehow I doubt that, given I don't mind messaging at all, where it's appropriate.
195 replies →
Probably the real motive.
10 replies →
[flagged]
1 reply →
I wouldn't brush off Taiwan or Ukraine as "political". In both cases it's about survival, and in one it's a literal fight.
5 replies →
And this https://notepad-plus-plus.org/news/v781-free-uyghur-edition/
I distinctly remember their GH page being flooded with issues written in Chinese.
Everyone is entitled to their opinions.
My opinion is that open source documentation is like polite dinner conversation: It’s not the proper place to discuss politics.
If an author wishes to use their open source project as a platform to discuss politics, that’s the author’s prerogative. But then, as perhaps in this instance, it could be to the detriment of the project itself.
Skirt too short, in other words?
I'm going to place the blame on the party committing the crimes, not the person exercising free expression.
7 replies →
> My opinion is that open source documentation is like polite dinner conversation: It’s not the proper place to discuss politics.
I know this is a common turn of phrase, but I can not help thinking that if the political conversation is impolite it is because some in the conversation is being impolite not due to the topic itself.
Other take is … which is cool feature of OSS … you don’t have to use projects that do political statements.
1 reply →
That is a position of privilege.
You can ignore politics, but at certain point, politics cease to ignore you.
This is a very head in the sand approach to life that only those who are entitled may partake in. Reality is that most cannot live in ignorance of what is happening around them because it is also happening to them. Obviously not everything needs to remind you of stressful reality, but we also shouldn't avoid reality just because we are privileged enough to do so.
His code, his rules.
My understanding is they targeted particular users of Notepad++, not the author.
Ah, so this has to do with mainland China going after those who think the Taiwanese do not belong to mainland China. Well, I see them as independent folks. Mainland China needs to stop thinking it can occupy land willy-nilly; unfortunately with USA, Russia and China thinking they can bully other countries that lack nukes, I think these smaller countries absolutely need nukes for defensive purpose.
It is also annoying that all these three countries think they can bully other countries too. That is basically them saying they can kill other people in other countries at all times no matter the real "reason" (just make up a fake reason, such as Russia with regard to Ukraine) - annoying to no ends.
Having said that, and I just pointed out I disagree with mainland China bullying the Taiwanese, I think it would actually be better to have software itself be completely apolitical. I never understood why people felt a need to tie political goals into software. That is a valid statement even if I happen to agree with the political goals here.
In 2026 hoping that software could be (more) apolitical is a very brave stance. I look at the software world and I can see core political statements in almost every popular software. From privacy invasion, supporting shady industries (e.g., marketing) even at the expense of people (a reverse-welfare, in a sense), environmental destruction (e.g., complete lack of care for resource usage) and many more.
If anything, we need much more politics in software, ideally exercised by those who write that software instead of "apolitical" software writers who end up executing the political software of those who pay them.
If you meant to scope your statement only to FOSS, then this still applies (in fact, FOSS is inherently political), plus I suppose some people who invest their time to write software want to also use the same effort for political activism and there is nothing wrong with that. This can be expressing their political views via that software (e.g., vim and the support to children in Uganda) or can be using a license that only allows co-ops to run their software, or many other ways.
The idea that software even could be apolitical stems from the idea that technology can be neutral, which again, in 2026 is really a tough idea to support.
3 replies →
i always worry about tools like this, maintained by small teams, that are so universal that even if only a small fraction of installs are somehow co-opted by malicious actors, you have a wide open attack surface on most tech companies.
e.g. iTerm, Cyberduck, editors of all shades, various VSCode extensions, etc.
I don’t get it, why don’t you all—absolutely all of you reading—use Little Snitch? [1]
It really doesn’t compute in my head why would any macOS user not use a network firewall like this, or similar, to block unwanted outgoing HTTP(s) requests. You can easily inspect the packet with tools like Wireshark or Burp Suite Professional (or Community) edition, or any other proxy tool, of which there are many in the macOS ecosystem.
And this is not unique to macOS, this is all possible in Windows, Linux and any other OS.
[1] https://www.obdev.at/products/littlesnitch/index.html
It’s a false sense of security, more or less. If an application wants to talk to a C2 they don’t have to make a connection at all, just proxy a connection through something already allowed, or tunnel through DNS. Those juicy cryptocurrency keys? Pop Safari with them in the URL and they’re sent to the malicious actor instantly. If you’re owned Little Snitch does nothing at all for you except give you the impression that you’re not.
9 replies →
It wouldn't protect against this attack though. The Notepad++ update servers were hijacked. Presumably you would allow Notepad++ updates through Little Snitch so you would be equally as vulnerable.
8 replies →
Isn't Little Snitch exactly the sort of application they're worried about?
3 replies →
I used to love Zone Alarm's ability to notify me on an application's first attempt to connect to the internet, and allow me to approve or deny it. I really wish there was still such an interface today.
Having said that, I absolutely despised the implementation that stole keyboard focus; if it popped up when I was typing it frequently disappeared before I head a chance to read it and I had to go into settings to try and find what had changed. Nothing should ever steal keyboard focus unless it's urgent, and then it should website that you can't accidentally manipulate it with a keyboard (see UAC prompt where it opens in the background if the calling program is in the background, and where once you activate it, you have to hold alt+y/n or tab to a button before it accepts the input; just hitting the y/n key alone won't do anything).
If an application wants to talk to AWS, how am I supposed to know if it's legit or not?
1 reply →
because i dont want to deal with constant whitelist management and i simply don't install applications i don't trust. if there's anything really absolutely essential or damaging if it were to leak i would not put it on a internet connected device to begin with
Now you have to worry about Little snitch not "snitching" on all your traffic.
1 reply →
Similarly I worry about how these apps automatically update themselves. I know it can be done securely. I also doubt that these companies invest the engineering effort to do so.
If you think large companies are somehow immune to this, you’re gonna have a bad time.
It's not a matter of "immune" - larger organizations generally have more resources to allocate to things like this. That doesn't mean they get it right 100% of the time, but they are at least able to try, while small teams or volunteer projects often simply don't have the hours to spend on things like this.
13 replies →
> Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests.
I'd be curious to know if there was any pattern as to which users were targeted, but the post doesn't go into any further detail except to say it was likely a Chinese state-sponsored group.
This article going into more detail on those targeted was posted later:
https://securelist.com/notepad-supply-chain-attack/118708/
I dont know who hacked the servers nor I do know how to find out. Let's blame state actors, who's going to come verify these claims.
It might have been explicitly targeted, but they did say that there were older versions of Notepad ++ with ""insufficient update verification controls" so it might have just been there was only one subset of users actually susceptible to this.
No, the additional update verification was added after this attack was discovered. All Notepad++ installations were vulnerable during the time of the hijacking campaign.
[dead]
My guess would be certain IPs associated with universities, corporations and government institutions.
Wow. I'd love to know more how the targeted systems were actually compromised.
There is more detail linked below:
https://www.heise.de/en/news/Notepad-updater-installed-malwa...
https://doublepulsar.com/small-numbers-of-notepad-users-repo...
The TLDR is that until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which was available in the Github source code. The author enabled this by not following best practices.
The "good news" is that the attacks were very targeted and seemed to involve hands on keyboard attacks against folks in Asia.
Blaming the hosting company is kind of shady, as the author should own at least some level of the blame for this.
If the attackers did limit themselves to a small number of Asian machines they gave up an absolute goldmine. I would venture to say a lot of technical people use notepad++ at work in jobs that would be very lucrative for an attacker to exploit. I know I definitely had an 'oh shit' moment when I read this and thought about where I have notepad++ installed.
2 replies →
out of curiosity, why is a self signed cert bad for this case? Can't the updater check the validity of the cert just as well regardless? Or did the attackers get access to the signing key as well?
4 replies →
Agreed. Supply chain attacks are scary. I open all sorts of secrets in NPP - did they all get leaked?
Depends. Are you a Chinese/Taiwanese national or diplomat who holds a strategic value to the CCP?
And who was targeted. The current messaging is very vague.
Probably backdooring end user machines by pushing updates with vulnerabilities for the purpose of spying, data exfiltration & control.
This all fascinating, but in the end: I have notepad++; what should I do?
You’d be protected from this particular exploit if you used a package manager rather than the updater, though of course you’d still be vulnerable to the installer binary itself getting compromised.
Wonder how many packages in community package repos are compromised. Surely "Hubbleexplorer" can be trusted to provide arch users with a honest, clean version of npp.
KDE's own kate is a good alternative, and available for install via chocolatey.
Gedit is an underrated alternative imo.
I don't know why that comment is being interpreted as a request for alternatives. They are clearly asking if their machine is compromised.
6 replies →
This is where package managers shine. You never know if there are vulns in the update servers, and you don't know if they even bother with checksums. I never trust apps that self-update for exactly this reason. Turn that shit off and do
or
Of course, this does nothing for bugs in the code.
Vindicated once again for turning off any update checks the moment I install any new piece of software.
Even if this sort of (obviously rare) attack is not a concern, it baffles me how few otherwise-intelligent people fail to see the way these updaters provide the network (which itself is always listening, see Room 641A and friends) with a fingerprint of your specific computer and a way to track its physical location based on the set of software you have installed, all of which want to check for updates every goddamn day.
It is baffling to me, as well. You know how you get a remote-code-execution vulnerability? You give a bunch of software permission to fetch code remotely and execute it.
Like… browser? Or anything with script loading capabilities like script engine in games. Executing remote script is almost unavoidable nowadays.
And there isn't really a way to confirm if it is configured in a secure way.
You either trust the developer or not.
2 replies →
If the people with access to Room 641A want you, you're toast unless you're ready to make some REALLY big digital lifestyle changes that most people would not be amenable to, because you would have to be extremely paranoid on multiple fronts all the time. That kind of heightened vigilance is exhausting and really not worth it.
Threat modeling: it keeps things realistic.
Sorry for assuming you'd be able to extrapolate from one example. It could be at any level of the funnel from your local machine to the wider Internet. Closer to home: this sort of fingerprinting could defeat things like MAC randomization in a PSK-authed business/university setting if those IT departments had some reason to want to track you.
I once worked at a company where the Security team were very proud of this and all the other tricks they used to catch leakers by figuring out who was on campus, where, at what time, usually via fingerprinting personal devices carried alongside corporate devices.
2 replies →
How do you deal with the opposite, software that you forget to update but contains vulnerabilities discovered/exploited later?
I use a package manager that checks the hash of the downloaded installer against what's recorded in the package listing for that version. WinGet has been built in to Windows since one of the 2018-era releases of Windows 10: https://i.ibb.co/VYGXdc56/2026-02-01-20-46-28-Greenshot.png
2 replies →
an auto-updater for a text editor is particularly infuriating
So the hosting provider was hacked? Who was their hosting provider?
This is also why update signatures should be validated against a different server; it would require hackers to control bother servers to go undetected
You can see this in their DNS history:
notepad-plus-plus.org currently has an A record of 95.128.42.184, owned by "Aqua Ray SAS".
It switched up from 191.101.104.10 and 212.1.212.49 on 17/1, which is are Hostinger IP addresses.
>This is also why update signatures should be validated against a different server; it would require hackers to control bother servers to go undetected
No, it should be a hardcoded key held by the developer, preferably using a HSM, and maybe with some sort of notification capability in case the key was lost. Adding a second server adds marginal security. For instance if the developer's mail was hacked, an attacker would likely be able to reset passwords for both hosting providers.
Previous NS records were pointing at dns-parking.com, which is Hostinger. Although hard to be certain without more details whether a reseller or other supplier is involved.
So what mitigations should the end user be doing? How do we know if anything compromised?
Download the latest version and install that, instead of using the auto update feature of an old version that might not properly check signatures.
As for whether anything else has been compromised, it depends on whether you were targeted. And the payload might have been tailored to each target, so there's no way to know unless you have access to the exact binary. Unfortunately, binaries downloaded through the auto update feature tend not to linger in your Downloads folder.
Right the writeup doesn't mention when it started and what versions are affected
The writeup says it right there:
"The security exper’s analysis indicates the attack ceased on November 10, 2025, while the hosting provider’s statement shows potential attacker access until December 2, 2025. Based on both assessment, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated."
1 reply →
> Based on both assessment, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated.
FTA.
Disable auto-updates, just like you should with every piece of software on your machine. This was the result of letting other people silently replace your programs. Don't allow that.
that's why I still run Windows XP. Automatic updates are dangerous!
2 replies →
Not notepad++! (Opens WhatsApp) OpenClawd express my discontent across all my channels and draft an email to send to IT tomorrow morning. Also turn off the lights off and go to bed. (Somewhere in china, all the lights go out)
Can someone help clarify this for me?
Is it correct to say that users would only get the compromised version if they downloaded from the website?
Notepad++ has auto-update feature, is there any indication that updates from the AutoUpdate were compromised?
No, it's specifically the updates that were targetted. I'm unsure about the downloads but those too are presumably at risk.
> The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.
> With these changes and reinforcements, I believe the situation has been fully resolved. Fingers crossed.
I get that this is a difficult situation for a small developer, but ending with this line did not fill me with confidence that the problem is actually resolved and make me trust their software on my system.
That's the most honest assessment you can expect from any small-scale developer. What do you expect them to say or do? Their adversary is presumably a national intelligence agency of a superpower.
The odds may be better if you operate the way OpenSSH does: move slow, security first, architect everything to be very difficult to attack. But if you're building a text editor, it's not your mindset, and probably never will be.
> The odds may be better if you operate the way OpenSSH does: move slow, security first, architect everything to be very difficult to attack. But if you're building a text editor, it's not your mindset, and probably never will be.
I mean, if you look at the Notepad++ website this developer seems just as concerned at spamming political messaging all over everything as much as he is with writing the software he's distributing. It's pretty crazy he apparently didn't think to take more basic precautions given he is basically permatrolling Russia and China with his messaging. Big brain moment for him. And meanwhile, after reading that disclosure nonsense none of us even know what's going on - like, should we be formatting machines that were affecting during that timeframe? Was the attack targeted and specific only? Who the fuck knows!
2 replies →
Yup, the only way to combat this as a smalltime dev would be to turn off auto updates and make people build from source.
6 replies →
and yet OpenSSH was almost the victim of a giant hack too (xz-utils)
Would you feel better if they had ended the blog post with corporate style assurances that Notepad++ is 100% secure?
Same here. I think I will probably look at some alternative to Notepad++.
Oh interesting, we had an internal mandate not to use Notepad++ come down from on high that was never explained. The timing matches up
I don't think "we" would have been impacted since this specifically targets the updates, but recently Microsoft pulled Notepad++ from the list of apps we can use on our production management laptops. Some people were annoyed and whining about this. That predated this announcement by a few weeks. Probably the right move by the security folks.
it was pulled because the binaries were self-signed for a short period, not because they knew something
who signed the binaries was irrelevant for this attack, because the issue was not checking any signature
Notably Notepad++ was recently shipping unsigned/self-signed updates, apparently overlapping with the time of this incident, see releases 8.8.2-8.8.6: https://notepad-plus-plus.org/news/
The lack of signing and/or checking the signature when updating is the real issue here. But the write up blames the attack on the hosting server. That doesn't bode well for future security.
So they just conveniently decided not to sign their releases right around the time they were supposedly "hacked"?
Something doesn't seem right here.
Code signing certs are unfortunately expensive
10 replies →
I’m on version 8.8.8, which says a lot.
This time I unfortunately have to move on from Notepad++. Vibes have been negative for a while but out of inertia (and because there weren't obvious alternatives) I never pulled the trigger. Now it's time. The trust is gone.
Thanks NP++ for being free and useful for so many years.
Can anyone suggest a solid alternative on Windows? I'm fine with Linux and macOS but I have to keep a Windows machine around for some legacy, win only, software.
Maybe Sublime Text could be an option? At this point I'd rather pay for something lightweight, fast, and probably better.
I don't like tooling that increases my exposure to bad state actors (whatever state they're from).
> I don't like tooling that increases my exposure to bad state actors
> Can anyone suggest a solid alternative on Windows
What a weird reason to switch. I don't know why you'd believe any other piece of software is somehow more secure against state actors.
Are we supposed to ignore announcements of documented compromises then? Or are you saying compromised software is the safest of all?
Sublime Text. It's art.
It was great 10 years ago before VS Code, but Sublime has been abandonware for years now.
1 reply →
Thanks. I'm on it right now. Testing.
If you update via Winget, you are probably safe.
Winget downloads the installer from GitHub: https://github.com/microsoft/winget-pkgs/blob/master/manifes...
For a while, I've been thinking that open source package portals will at some point take over making of binaries that get released. Dev teams will run their own CI with whatever automated test pipelines they think is appropriate. For a tests-pass situation and will pass the git hash to the portal system for release, which just runs compile and making the binary. Well, not all CI runs would result in a release, of course. Then the package portal's own software kicks in to calculate an independent since-last-release report that's attached alongside the maintainer release notes.
All such portals upgrade their hash/sig noting of binaries, and keep those in a history retaining merkle tree of sorts. Of nothing, else a git repo. Something like this https://github.com/hboutemy/mcmm-yaml/blob/master/aws/sdk/ko... but with SHA256s, and maybe not the entire world on one repo.
Long ago, Canonical did some shady stuff with the now-deprecated apt-key "net-update" signing validation for updating of GnuPG keys over the network, an exclusive Ubuntu "feature" Debian didn't even adopt that in theory allowed the same thing.
First I thought CVE-2012-3587 was incompetence... but then seeing CVE-2012-0954 after it, I couldn't help think something more was at bay as something connected to a nation state. It does not surprise me in the least to see nation state attackers exploiting N++. Because I've also on very sensitive enterprise PAM systems in F500/research/academia, and about 10% of the time it felt like I'd see Notepad++ on internet-connected systems used for security tooling because vanilla notepad is indeed garbage. It does not surprise me at all this has been used as an attack vector.
The article is not very clear.
Which versions where affected and how can people check if they have the infected version?
What was the impact of being compromised? Were they able to inject code into releases of Notepad++?
They were able to replace the downloaded executable with their own version. From the article:
> 2. Even though the bad actors have lost access to the server from the 2nd of September, 2025, they maintained the credentials of our internal services existing on that server until the 2nd of December, which could have allowed the malicious actors to redirect some of the traffic going to https://notepad-plus-plus.org/getDownloadUrl.php to their own servers and return the updates download URL with compromised updates.
It's ridiculous that any software developed by any developer on Earth can now claim to have been attacked by hackers supported by a certain country.
Why ? It works so well for other, big companies.
Supply chain attacks. What can an average developer do?
That's sad. China should be more helpful with regards to open source.
Notepad++ is a great editor. I don't use it on Linux, because I have an older editor I am very used to, but on Windows I like notepad++ a lot (though lately I have been using geany on Windows, mostly for convenience - I think notepad++ is better but I sort of like the github-based development of geany; either way notepad++ is really excellent as well).
> That's sad. China should be more helpful with regards to open source.
They should also be more helpful with not plundering the oceans, even including the territorial waters of far-flung nations, of fish.
Why the downvotes? I guess I should hope the CCP doesn't hijack this account the way they did Notepad++.
> Additionally, the XML returned by the update server is now singed (XMLDSig)
The latest and greatest cryptography powering everyone’s favorite SAML-based single-sign on.
I wonder who the targets were/what the malicious binaries did. Assuming some gov related shop + sent the contents of files on the host to attackers.
Many large companies allow employees to install software from the internet on their work laptops. How do they avoid being regularly hacked this way (presumably NPP is far from being the only one at risk, and presumably the money from theft of corporate secrets attracts skilled and motivated hackers).
why does this read like it was written by a state-sponsored actor
The thought crossed my mind as well. Lots of typos, plus "old version compromised, use new version ASAP" could also be said to get people on a newly compromised version, right? Though it's probably just that the post author is stressed and rushed the post out. I do wonder if there's a way to verify the post was written by the real dev and that he still has control. Old known GPG sig?
Posted with the new version not even out yet?
IIRC, the author, Don Ho, is French and was born in Taiwan, and accordingly, perhaps his English is somewhat idiosyncratic?
Would've been good if it named the hosting provider. That's the most informative part.
Every shared hosting provider has this risk. Critical projects should be using dedicated or VPS hosting, preferably with encrypted filesystems too as even datacenter techs can fall victim to social engineering.
I'm pretty surprised that they got away with unsigned updates and shared hosting as long as they did. I wonder how many similar popular projects are out there on dodgy infrastructure.
Maybe the hosting provider is currently undergoing an audit or implementing the changes?
I expect to know it one day, but it may be too early to provide the name now.
Lawsuits are expensive and I'd think that name and shaming would open npp up to one
So uhh... what exactly did the "state-sponsored actors" do?
They go on about how their server was compromised, and how the big bad Chinese were definitely behind it, and then claim the "situation has been fully resolved", but there is zero mention of any investigation into what was actually done by the attackers. Why? If I downloaded an installer during the time they were hacked, do I have malware now?
The utter lack of any such information feels bizarre.
Exactly... Were they exflitrating files open in notepad++ , or was notepad++ installing additional malware for system wide access? What was the end goal?
> Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers. The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.
> Additionally, the XML returned by the update server is now singed (XMLDSig)
XMLDSig is notoriously difficult to implement correctly and securely, I hope this doesn't backfire.
So they say at the provider level update traffic was redirected . Does this also mean their update endpoints didn’t do encryption?
It's also possible the update manifest contained an url that the updater blindly trusted, and by modifying that file you could change what got downloaded.
Yea, should have finished reading. Remediation was to “ verify both the certificate and the signature of the downloaded installer. “
I mean for such a dev focused and extremely performant app, that’s disappointing.
Glad I’m off windows as of late
Will malware/virus scanners detect any bad software?
The whole approach of virus scanning is reactive and incomplete. This is because, except for some uncertain guesswork using "heuristics", it depends upon vendor analysis of submitted malware infection samples after it's already happened to determine specific malware file/process signatures. This doesn't and cannot catch all possible malware that has ever happened, especially if it's new, not widespread, or evaded analysis from ever being noticed. Thus, a fraction of malware will always slip and will always remain undetectable.
After a machine is compromised by malware, there's rarely-to-never a trustworthy way to ever fix it with 100% certainty. And especially worrisome is "repair" from the host itself which maybe infected with a rootkit that hides and repairs the malware. Thus, the only correct solution is to completely reimage/reinstall from trusted sources. Deviate from this path at one's own extreme cost/risk.
There also exist a tiny amount of even worse, specialized malware, usually deployed by state actors, that infect hardware in such a way that makes them difficult and sometimes uneconomical to repair.
PSA: Never run untrustworthy shit on any machine that matters. This also includes FOSS projects that don't have their shit together.
PSA?: How to establish trust?
1 reply →
Most edr has a “this program is doing something bad” detector. But the number of folks running security on their build process is still not ubiquitous.
Just downloaded NP++ for my new PC.
What’s a good alternative?
How scintilla-ating!
Another popular project I can think of to look out for is PuTTY. I'm fond of 2006 vibe, but Github probably has stronger security protections.
I love Notepad++ but for some reason it always had some kind of political BS going on and I don't appreciate that.
Job well done!
[dead]
[flagged]
> This was the exact same technique that was used in 2021 by Audacity's update mechanism, which also redirected traffic to servers hosted in other Aeza Group ASNs and planted a dropper for later campaigns.
I can't find anything about this, can you link a source?
Have you written about this experience elsewhere? That sounds absolutely nuts.
I vaguely remember this happening with somebody on an Audacity project, so jumping in! I believe this was on a GitHub issue for that project, but the project has since disabled issues for the repository since they moved source locations. It also definitely hit some press.
1 reply →
Someone tried to kill you?! People actually killed your friends? Not sure if schizophrenia or actual story ... I desperately need to hear more of this story.
[flagged]
3 replies →
[flagged]
[flagged]
If you find yourself 99.999% sure of almost anything it should be a bit of a red flag to you. If it's based on a hunch without any actual evidence, more so.
Shared hosting for this, really? Fascinating.
I've been thinking a lot lately about open source.
It seems to be a lot like the communism - sounds great on paper but we are yet to see a proper implementation.
Between GIT, Linux and SQLite there are a few projects that has been led by weirdos that have time, resources and conviction to drive these through time.
Unless you create some sort of a an auxiliary business and get an acquihire deal most things will fizzle out.
Years ago when I started working for BigCo I was amazed by their denial of FOSS. At one point in the project I pointed out a problem, which was heard and recognized, to which I followed up with a solution using an open source package. I thought I was clever - we needed an extra package in our system, but I was able to find a suitable open source solution that would not add to the overall cost of the project. My proposal was immediately pushed back.
Initially I thought it was due to responsibility issue - if we'd employ a FOSS solution we'd be responsible for the outcome. Having a 3rd party vendor the management would have the opportunity to shell themselves.
But that doesn't have to be the case. The FOSS project could easily fizzle out. And if we don't have enough resources to incorporate it and make it our own, we can potentially risk being left out to dry.
> Unless you create some sort of a an auxiliary business and get an acquihire deal most things will fizzle out.
This is acceptable. Why shouldn't most things started by people not willing to put in the work to keep them going not fizzle out? The important thing is that anyone who actually cares to can jump in and pick up right where the open source software fizzled out and get it going again. Anyone can learn from the code and use it for anything they want, even things that have nothing to do with the goals of the original project.
It's not as if there aren't countless examples of corporate vendors dying off and leaving their customers on the hook with nothing, or just changing the product drastically after the sale. At least in the open source case you have the option to fork the project and continue using it as you always have.
Well, the update in Notepad++ was the single annoying thing and I made sure I turned it off as the first thing after the install. It was terribly annoying, interrupting my workflow every often so I have no idea how others managed. Why should it decide when to upgrade anyway? It's a notepad! Why should I even bother to upgrade? Everything I need is already there! A piece of software like this one shouldn't be allowed to send out traffic by default anyway, it should be opt-in.
You should see the apps on MacOS. Almost every single app that is not installed from Appstore has that shitty update popup, it is driving me nuts.
I think Linux has the best solution for this - good package managers for bases system and Flatpak with Flathub repo for other apps. So you never get stupid popups, and update managers use signed packages and check those signatures before installation.
I'm extremely wary about any application pushing politics.
I subscribe to MacPaw, who makes excellent apps like Setapp, Gemini, and CleanMyMac, all of which I use.
At some point, CleanMyMac started putting the Ukranian flag on the app icon and flagging utilities by any Russian developer as untrustworthy (because they are russian), and recommended that I uninstall them.
I am not pro russia/anti-ukraine independence by any means, but CleanMyMac is one of those apps that require elevated system permissions. Seeing them engage in software maccarythism makes me very, very hesitant to provide them.
Sorry, what does this have to do with notepad++?
Sorry, I meant to reply to this comment: https://news.ycombinator.com/item?id=46851664
Please refer to it for context.
1 reply →
The notepad++ author has publicly come out in favor of Taiwanese independence.
12 replies →
[flagged]
if you're going to give in and avoid applications because, like in this case they take a strong stance on Ukraine or Taiwan the hack has literally achieved its purpose. Either silence the author directly or destroy its userbase.
Fuck'em and just donate ten bucks to notepad++ , I'd rather my pc breaks then reward this crap
I think I made it clear that I use (and pay for) their applications. I also think I made a sufficiently nuanced comment that doesn't suggest that I've "given in" to anything.
4 replies →
I support the Ukraine effort as well, but breaking my applications seems like a bridge too far.
I hate to say this, but wariness of software developed within Russia has been around for ages, long before the current war.
Since there are a lot of both Ukrainian and Russian software developers, this is personal for a lot of people in the industry.
> anti-ukraine independence
What the fuck is that supposed to mean, lol. Ukraine isn’t done secessionist state.
> Seeing them engage in software maccarythism makes me very, very hesitant to provide them.
So are they wrong when flagging software or not? You haven’t provided any details.
They flag AdGuard for Safari as suspicious. It's one of the most popular mac apps, if adguard is truly suspicious then it should be bigger news.