NEW: The developer of the long-running and popular open source text editor Notepad++ has confirmed that China government-backed hackers hijacked the software's update feature for months during 2025.
The hackers could access computers of victims who were running hijacked versions of Notepad++.
@zackwhittaker This is why software should not have automatic updates built in.
If you enable automatic updates, you are giving that software developer admin access to your machine!
The update process might get hacked, or the software might get sold on to a threat actor, or a government might use the software to compromise you.
Auto updaters built into applications were a mistake.
@chopsstephens @zackwhittaker Depends on what kind of software. I might be ok with a browser auto updating or at least prompting.
But notepad? A text editor is not a huge target to get hacked. It should not really have any networking at all. But put in an auto updater and now it's a threat to the whole machine.
It does not help that auto updaters run as system services so they can install software.
Not every app needs an auto updater. It's a huge attack surface the user cannot control.
@mike805 from what I read in the article, what was hacked was the initial download, and eventually fixed via auto updates
Zack Whittaker
mike805
Sam Stephens
Guillaume Rossolini