BeepNotepad++ Hijacked by State-Sponsored Hackers
Australis13Oof. Kudos to Notepad++ for being up front with the details.
Yikes… i guess i am confused though. What data was being sent through this channel? What did they get from people while it happened and why did it take 2 months past them stopping it to finally make a release? I love the app, but this sounds really bad.
From my understanding: Basically the attackers could reply to your version check request (usually done automatically) and tell N++ that there were a new version available. If you then approved the update dialogue, N++ would download and execute the binary from the update link that the server sent you. But this didn’t necessarily need to be a real update, it could have been any binary since neither the answer to the update check nor the download link were verified by N++
Thats what i was thinking, but there is no mention on if this did happen and if it did what did was compromised or allowed to happen.
ryannathansHow would n++ devs know?
Expanding on this: the exploit was against their domain name, redirecting selected update requests away from the notepad++ servers. The software itself didn’t validate that the domain actually points to notepad++ servers, and the notepad++ update servers would not see any information that would tell them what was happening.
Likely they picked some specific developers with a known public IP, and only used this to inject those specific people with malware.
setVeryLoud(true);So the solution would have been an SSL certificate check on the client side.
Can’t tell if that would have helped
which could have allowed the malicious actors to redirect some of the traffic going to notepad-plus-plus.org/getDownloadUrl.php to their own servers
They could have just piped the binaries though the same server since they had this level of access. They would have had months to figure it out.
Oof, I thought it was just a DNS hijack. If they had access to the server, it’s game over regardless.
KissakiIt’s not game over regardless if the updater checks a signature of the update installer. Them it wouldn’t run an installer by someone else.
That’s true, assuming they didn’t also put their private keys on the server
As the hoster wrote this:
we immediately transferred all clients’ web hosting subscriptions from this server
It looks like the binaries and the update check script were put on a simple web space. If that is the correct conclusion to draw from this excerpt, then it’d be rather strange to have the keys on that server as it’s very unlikely that it was used to produce any builds.
The previous release already fixed this, or evaded the issue.
The channel was the update mechanism. Upon Notepad++ checking for updates, they were able to inject their own. So if you updated via the apps own update checker they could have misdirected you into installing something else or something modified.
The software itself, and the devs, have little to nothing to do with this besides detecting the issue. Which was not obvious, since (it seems) the attack was targeted at specific IPs/hosts/places. It likely worked transparently without alteration for most users, probably including the devs themselves.
It also would only affects updates through the built-in updater; if you disabled that, and/or installed through some package managers, you would not have been affected.
A disturbing situation indeed. I assume some update regarding having adequately digitally signed updates were done (at least, I hope… I don’t really use N++ anymore). But the reality is, some central infrastructure are vulnerable to people with a lot of resources, and actually plugging those holes requires a bit of involvement from the users, depending how far one would go. Even if everything’s signed, you have to either know the signatory’s public key beforehand or get a certificate that you trust. And that trust is derived from an authority you trust (either automatically through common CA lists, or because you manually added it to your system). And these authorities themselves can become a weak point when a state actor butts in, meaning the only good solution is double checking those certificates with the actual source, and actually blocking everything when they change, which is somewhat tedious… and so on and so on.
Of course, some people do that; when security matters a LOT. But for most people, basic measures should be enough… usually.
So should we at least uninstall our current Notepad++ and then download a new version? What else should we do, the post really doesn’t offer any advice.
kurmudgeonI don’t think you’ll need to uninstall. If I’m reading the article correctly, it looks like they plugged the hole in their update process by switching hosting providers to one that’s even more hardened and secure. So requests from the updater should go to the correct place now and not the state-sponsored hacker.
Then in about a month, the next version of notepad++ that is released will also properly validate/verify any downloaded update files from the server.
The article literally states that should you download the latest version from their site directly and then use the installer to update manually. Who knows if those who were effected already could have something else compromising the update/install process. I wouldnt update from the built in updater until the new fix with certificate and signature verification is released.
In the old post from when the update was released a Heise article is linked, that contains indicators of compromise, and in turn links to Kevin Beaumont for the details of his analysis:
lemmy.zip/post/54712916
heise.de/…/Notepad-updater-installed-malware-1110…
doublepulsar.com/small-numbers-of-notepad-users-r…
I would just follow their advice, download the newest version from their site directly and use the new versions installer to update manually. I would probably do the same thing when the newest version with certificate and signature verification releases, after that I would assume you should be good to go. However its probably also worth scanning your system for malware just incase you updated during the time frame the attack was live.
So what malware got shipped?
If it was important and true, they would’ve spell-checked.
paraphrandSo that’s what the second plus includes….
Ricky Rigatonichina isn’t a state they’re a different country and do not belong to the united mexican states.
dindonmaskerI would like to know starting from wich version should i be concerned. I haven’t updated in a while i think.
The timeline says the attack started in June of 2025 and continued through Dec 2, 2025. If you installed, updated, or silently updated during that period you may have been targeted / compromised.
Looks like 8.8.1 was May 2025 https://notepad-plus-plus.org/news/v881-we-are-with-ukraine/
8.8.2 was June 2025 and has a warning to ignore “false positives” of malware in the update…. Ouch. https://notepad-plus-plus.org/news/8.8.2-available-in-1-week-without-certificate/
You might have version 8.8.1 or lower, however it might have tried to order update got the vulnerable package instead and then remained on the older version. I think even if you have the older version that’s not a sign that you weren’t compromised.
Fair point. I was assuming the malicious payload would come along with an update on order to hide, but it’s also possible that the malicious payload was delivered without any update to notepad++.
I’ve not seen any IOCs published have you?
I’m not sure what you mean. The article states there were remote hands on keyboard noticed in multiple companies. That’s how the vulnerability was discovered.
There’s some IOC information here:
And here:
The Notepad++ supply chain attack — unnoticed execution chains and new IoCs
Kaspersky GReAT experts discovered previously undocumented infection chains used in the Notepad++ supply chain attacks. The article provides new IoCs related to those incidents which employ DLL sideloading and Cobalt Strike Beacon delivery.
How would you know if you updated?
My notepad++ is on 8.9.1 and I have no idea how it’s on that ver (ninite I think is where I sourced it…maybe it’s auto updating?)
Odds are you weren’t on the “targeted list”.
If you don’t know, you’re probably auto updating.
If you updated or installed in 2025 after June-ish, the safe thing to do is uninstall, then download from the new (theoretically more secure) website and install the new (theoretically more secure) 8.9.1.
If you were pwned by an update during later 2025, they could disguise just about anything in your Notepad++ and its associated files - make it look perfectly normal, make it act perfectly normal, but have their own malware on your system doing… whatever it is they want it to do.
I understand one of the things they were doing is running a proxy to carry traffic through your system, so if you see a lot of unexpected network activity (under Windoze how can you tell?) you may have been compromised. But that’s not the only thing they could have done, nobody has really analyzed the attack yet and even after they do, you might have gotten a “special” payload that the analysis team didn’t see…
Unfortunately i do work for a targeted company (we do a lot of secret squirrel stuff) in south East Asia.
We get a lot of attacks.
I was looking at the attack and malware they inject (there is a blog post link on the notepad++ notice) which pointed out how the attack worked. Apparently they run a service called bluetoothservice.exe. I didn’t see anything like that or any the other stuff they said gets created.
But then again finding malware isn’t my bag so who knows.
Pretty sure my updates came via nanite installer so I’m hoping I wasn’t targeted.
the safe thing to do is uninstall, then download from the new (theoretically more secure) website and install the new (theoretically more secure) 8.9.1.
That won’t rescue your system if it is already compromised though. It will just prevent it from being newly compromised in this manner.
China, Russia, the US, fucking Israel. They all piss me off so fucking much. Can’t we live in a sane world just for a single fucking day?
lechekaflanMake money? Occupied Tibet would like to have a word.
Why must this he compared? The Tiananmen Square massacre was insanely inhumane. They crushed peaceful protestors on bicycles with fucking tanks. They squished the people into a pulp so they could hose them into the gutters. Israel and Russia are also evil, also on a larger scale but that doesn’t absolve China from their shit.
Ok, It doesn’t have to be.
I see if we compare China, Russia, Usa and Israel, the China looks the most peaceful in that comparison.
At least China wants to make money, others not only money
But your original comment is still untrue.
Uyghurs were killed like ukrainians or palestinians?
Ok, Im not going to argue. I see what China did and still does.
Uyghurs were killed like ukrainians or palestinians?
Unfortunately:
en.wikipedia.org/…/Persecution_of_Uyghurs_in_Chin…
