Notepad++ hijacked by state-sponsored actors
by mysterydip on 2/2/2026, 1:59:56 AM
https://notepad-plus-plus.org/news/hijacked-incident-info-update/
Comments
by: edb_123
So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?<p>Anyway, I hope the author can be a bit more specific about what actually has happened to those unlucky enough to have received these malicious updates. And perhaps a tool to e.g. do a checksum of all Notepad++ files, and compare them to the ones of a verified clean install of the user's installed version, would be a start? Though I would assume these malicious updates would be clever enough to rather have dropped and executed additional files, rather than doing something with the Notepad++ binaries themselves.<p>And I agree with another comment here. With all those spelling mistakes that notification kind of reads like it could have been written by a state-sponsored actor. Not to be (too) paranoid here, but can we be sure that this is the actual author, and that the new version isn't the malicious one?
2/2/2026, 4:18:23 AM
by: simlevesque
Probably related to this: <a href="https://notepad-plus-plus.org/news/v869-about-taiwan/" rel="nofollow">https://notepad-plus-plus.org/news/v869-about-taiwan/</a>
2/2/2026, 2:18:44 AM
by: dabinat
> With these changes and reinforcements, I believe the situation has been fully resolved. Fingers crossed.<p>I get that this is a difficult situation for a small developer, but ending with this line did not fill me with confidence that the problem is actually resolved and make me trust their software on my system.
2/2/2026, 4:46:18 AM
by: Lammy
Vindicated once again for turning off any update checks the moment I install any new piece of software.<p>Even if this sort of (obviously rare) attack is not a concern, it baffles me how few otherwise-intelligent people fail to see the way these updaters provide the network (which itself is always listening, see Room 641A and friends) with a fingerprint of your specific computer and a way to track its physical location based on the set of software you have installed, all of which want to check for updates every goddamn day.
2/2/2026, 4:16:11 AM
by: Helmut10001
It looks like using Chocolatey [1] saved me from this attack vector because maintainers hardcode SHA256 checksums (and choco doesn't use WinGuP at all).<p>[1]: <a href="https://chocolatey.org/" rel="nofollow">https://chocolatey.org/</a>
2/2/2026, 4:57:44 AM
by: tragiclos
> Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests.<p>I'd be curious to know if there was any pattern as to which users were targeted, but the post doesn't go into any further detail except to say it was likely a Chinese state-sponsored group.
2/2/2026, 3:04:04 AM
by: wglass
Can someone help clarify this for me?<p>Is it correct to say that users would only get the compromised version if they downloaded from the website?<p>Notepad++ has auto-update feature, is there any indication that updates from the AutoUpdate were compromised?
2/2/2026, 4:13:56 AM
by: jmole
i always worry about tools like this, maintained by small teams, that are so universal that even if only a small fraction of installs are somehow co-opted by malicious actors, you have a wide open attack surface on most tech companies.<p>e.g. iTerm, Cyberduck, editors of all shades, various VSCode extensions, etc.
2/2/2026, 2:20:10 AM
by: thisislife2
Wow. I'd love to know more how the targeted systems were actually compromised.
2/2/2026, 2:10:11 AM
by: OsrsNeedsf2P
So the hosting provider was hacked? Who was their hosting provider?<p>This is also why update signatures should be validated against a different server; it would require hackers to control bother servers to go undetected
2/2/2026, 2:21:25 AM
by: egl2020
This all fascinating, but in the end: I have notepad++; what should I do?
2/2/2026, 2:29:07 AM
by: daemonhunter
So what mitigations should the end user be doing? How do we know if anything compromised?
2/2/2026, 3:00:04 AM
by: shellcromancer
> Additionally, the XML returned by the update server is now singed (XMLDSig)<p>The latest and greatest cryptography powering everyone’s favorite SAML-based single-sign on.
2/2/2026, 4:47:55 AM
by: manapause
Not notepad++! (Opens WhatsApp) OpenClawd express my discontent across all my channels and draft an email to send to IT tomorrow morning. Also turn off the lights off and go to bed. (Somewhere in china, all the lights go out)
2/2/2026, 3:42:13 AM
by: nickorlow
I wonder who the targets were/what the malicious binaries did. Assuming some gov related shop + sent the contents of files on the host to attackers.
2/2/2026, 3:52:51 AM
by: tech234a
Notably Notepad++ was recently shipping unsigned/self-signed updates, apparently overlapping with the time of this incident, see releases 8.8.2-8.8.6: <a href="https://notepad-plus-plus.org/news/" rel="nofollow">https://notepad-plus-plus.org/news/</a>
2/2/2026, 2:39:08 AM
by: starkeeper
What was the impact of being compromised? Were they able to inject code into releases of Notepad++?
2/2/2026, 2:49:48 AM
by: cookiengineer
This was the exact same technique that was used in 2021 by Audacity's update mechanism, which also redirected traffic to servers hosted in other Aeza Group ASNs and planted a dropper for later campaigns.<p>When I forked Audacity, within less than 48h my life turned to absolute shit. Defamation campaigns, people trying to kill me, people killing my friends, people stalking me with Austrian and Swiss license plates etc. When I investigated it further, it turns out I stumbled upon the FSB/SVR branch of the former Mirai botnet, who used Audacity to spread into larger networks.<p>If the Notepad++ devs see this, please check your opsec and the opsec of your loved ones.<p>Stay safe, and don't underestimate the Chinese Ministry of Security! They're operating in the EU, too.<p>PS: If you need help with this, contact me.
2/2/2026, 3:04:25 AM
by: thomasjudge
Will malware/virus scanners detect any bad software?
2/2/2026, 3:44:30 AM
by: getcrunk
So they say at the provider level update traffic was redirected . Does this also mean their update endpoints didn’t do encryption?
2/2/2026, 2:32:35 AM
by: kwar13
Would've been good if it named the hosting provider. That's the most informative part.
2/2/2026, 2:24:43 AM
by: johnsillings
why does this read like it was written by a state-sponsored actor
2/2/2026, 2:21:16 AM
by: dehrmann
Another popular project I can think of to look out for is PuTTY. I'm fond of 2006 vibe, but Github probably has stronger security protections.
2/2/2026, 3:59:34 AM
by: gradus_ad
The CCP must be destroyed.
2/2/2026, 3:00:16 AM
by: nosrepa
How scintilla-ating!
2/2/2026, 2:25:43 AM
by: bakugo
So uhh... what exactly did the "state-sponsored actors" do?<p>They go on about how their server was compromised, and how the big bad Chinese were definitely behind it, and then claim the "situation has been fully resolved", but there is zero mention of any investigation into what was actually done by the attackers. Why? If I downloaded an installer during the time they were hacked, do I have malware now?<p>The utter lack of any such information feels bizarre.
2/2/2026, 2:44:35 AM
by: ivankabiden
Job well done!
2/2/2026, 4:01:12 AM
by: NedF
[dead]
2/2/2026, 2:48:58 AM
by: prodigycorp
I'm extremely wary about any application pushing politics.<p>I subscribe to MacPaw, who makes excellent apps like Setapp, Gemini, and CleanMyMac, all of which I use.<p>At some point, CleanMyMac started putting the Ukranian flag on the app icon and flagging utilities by <i>any</i> Russian developer as untrustworthy (because they are russian), and recommended that I uninstall them.<p>I am not pro russia/anti-ukraine independence by any means, but CleanMyMac is one of those apps that require elevated system permissions. Seeing them engage in software maccarythism makes me very, very hesitant to provide them.
2/2/2026, 2:32:10 AM