Jameson LoppFeb 2
abadidea
Notepad++'s update mechanism was compromised from June to December 2025. They believe it was a state actor practicing selective targeting and not a no-hosts-refused malware gang situation. https://notepad-plus-plus.org/news/hijacked-incident-info-update/
Notepad++ Hijacked by State-Sponsored Hackers | Notepad++

Feb 2 at 8:27amWeb
Show threadabadideaFeb 2

Interestingly, @GossiTheDog was pretty on top of this in December weeks before Notepad++ formally disclosed. I agree with the assessment that, while Notepad++’s update situation was a little shaky, fundamentally it wasn’t gross negligence on their part but attracting powerful attention. (The developer is very openly pro-Taiwan and pro-Ukraine, and the state actors may have reasoned it was a good way to gain access to orgs with aligned views)

edit to extract the blog link from the post as I’ve realized this user has an autodelete timer: https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9

https://cyberplace.social/@GossiTheDog/116000636303016143

Small numbers of Notepad++ users reporting security woes

Auto updates are fun.

Medium
Show threadBluewall Feb 2
@0xabad1dea Oh what the fuck lol.
Show threadjonolethFeb 2
@0xabad1dea aw fiddlesticks
Show threadJeffreyFeb 2
@0xabad1dea So glad I am using VScode instead. No malicious state actors meddling with that app, just malicious corporate actors.
Show threadnyanbinaryFeb 2
@jtig ...for now 
Show threadmerFeb 2
@jtig @0xabad1dea Ah you didn't hear about the MS news then ? That MS was handing over data based on court orders. So state actors just have to ask MS. Not saying its a reason to stop using it though.
Show threadJeffreyFeb 2

@mer @0xabad1dea Not to mention, the extension marketplace is a breeding ground for malicious actors (however aligned). And the execution of scripts after trusting the repo in VSCode the OP pointed out a while ago.

Maybe VSCode isn't the right IDE either 

Show thread← Feb 2
@0xabad1dea sethbling will be horrified
Show threadRidley @ WATCH LYCORECOFeb 2
@0xabad1dea luckily notepad++'s update process is such a pain in the ass that it's estimated that only 5% of targeted users were actually successfully compromised during that period
Show threadleberschnitzelFeb 2
@0xabad1dea this is perfect!
There's always discussions why we - in a professional environment - don't just enable auto updates but instead check, package and deploy software internally.
Show threadPeterFeb 2
@0xabad1dea
😡
Show threadiam-py-testFeb 2

@0xabad1dea As a Notepad++ user, yikes.

I wonder why a state actor would specifically target Notepad++. It seems like an odd choice.

Show threadabadideaFeb 2
@iampytest1 less odd if I point out that the developer is vocally pro-Taiwan?
Show threadiam-py-testFeb 2

@0xabad1dea Interesting.

The incident began from June 2025. Multiple independaent [sic] security researchers have assessed that the threat acotor is likely a Chinese state-sponsored group, which would explain the highly selective targeting obseved during the campaign.

Show threadvandorb12Feb 2
@0xabad1dea oh no... Not again...
Show thread謎GlitchyPSIFeb 2
oh, OK. guess I had a different kind of concern instead
Show threadfuzzyfuzzyfungusFeb 2
@0xabad1dea Luckily the second-highest bing result for "notepad++" is still "notepadplus.com.cn"; so anyone who was worrying that they'd missed out looks like they've still got options.
Show threadgunstickFeb 3
@0xabad1dea why do they spend their time developing their own update mechanism?
Show threadabadideaFeb 3
@gunstick because the app dates to 2003?