317
Notepad++ Hijacked by State-Sponsored Hackers
(notepad-plus-plus.org)
How many times has this happened to Notepad++ now?
"The exact technical mechanism remains under investigation, though the compromise occured at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests."
Fuckall they could really have done about it other than changing host providers, which they mentioned they already have as a result.
Sign the updates before uploading them so they can't be faked?
It's astounding this wasn't done years sooner to be honest. I mean, signing software with keys is not something invented recently. Not doing so is akin to storing passwords in plain text.
I think they want to, but Microsoft has made it expensive for open source developers who do this as a hobby and not as a job to sign their software. I know not too long ago, this particular dev was asking its users to install a root certificate on their PC so that they wouldn't have to deal with Microsofts method of signing software, but that kind of backfired on them.
Let’s Encrypt is a trusted, established alternative, it could replace Microsoft for long-lived software certificates.
Or tarnish its name associating it with malware and bad actors, who knows?
Let’s Encrypt is a trusted, established alternative, it could replace Microsoft for long-lived software certificates.
Uh, no it could not.
First of all, the whole point of signing software is to ensure it comes from a reputable source. Let’s Encrypt signs certificates with an automated process that does no verification whatsoever of the identity of the person asking for a certificate. It would make the whole process completely pointless.
Second, Let’s Encrypt has stated themselves over a decade ago that they have no intention of doing this because it would render the whole system pointless.
The point of signing software is to ensure the software was not tampered from the publisher. Linux package managers solve this by comparing a gpg key from the publisher with the software's. There is no need for a corporate giant to "vet" software.
I guess, the point was there's nothing doing that in windows, and you will have to check manually or use an expensive M$ certificate
Yes, but from what I understand this refers to the automatic update functionality and not Microsoft's own .exe signature verification thing.
Couldn't you do it like this:
- Put hardcoded key into N++
- If a new release is available: Download, then verify signature
- If the signatures match, do whatever Windows requires to install an update
That should work, shouldn't it?
No, because you wouldn't be able to execute the updated exe without a valid signature. You would essentially brick the install with that method, and probably upset Microsoft's security software in the process.
I meant the old .exe would check the signatures before initializing the official Windows way to update. Effectively have this run whenever you start the application:
main() {
if (update_available()) {
exe_path = download_update()
if (signature(exe_path) == SIGNATURE) {
install_update(exe_path)
restart()
} else {
put_up_a_warning_or_something()
delete(exe_path)
}
}
# Rest of the application
# ...
}
The only thing I have no idea how to implement would be the install_update(path) function. But surely this is one way to install updates without signatures recognized by Microsoft, right?
And if for some reason you aren't allowed to sign the .exe because this breaks something, then place an unsigned .exe in a signed zip folder.
After you install the update, which exe will you execute after the app restarts?
I don't know enough about Windows app development to answer this. Maybe it replaces the old .exe and the now replaced .exe is just continuing to run from RAM? Maybe there is some restarter.exe program in the same folder that does all the work. In any case, this depends far too much on the Windows update process and how to launch applications.
I just know when I used Windows applications in the past, they were able to restart themselves after updating somehow.
After an update on Windows, you must close the application to clear the RAM before launching the updated exe.
Upon launching the new binary exe, Microsoft will check the code signing certificate and make sure its valid before letting it execute. If its not signed, you will be met with a warning that the binary publisher is unknown, and I believe that Microsoft won't even let it launch nowadays
that’s all completely irrelevant.., there is already an update mechanism built into NPP: that’s the entire point of the attack… it’s this update mechanism that got hijacked
If Notepad++ had a valid signing certificate, you wouldn't be able to run the malicious binary in the update. How is that not relevant?
there are more ways to do signing than paying microsoft boat loads of money… just check a gpg sig file ffs (probably using detached signatures: again, it’s already built into existing tools and it’s a well-known, easily solved problem)
what’s irrelevant is the argument about how the auto update mechanism would work because it already exists
The gpg sig method works great on other operating systems that aren't Windows or MacOS, but Windows and MacOS do not use that method to verify the authenticity of developer's certificates.
The update mechanism works fine, but you will not be able to execute the binary on a Windows or MacOS system. The OS will not allow it to run without it being signed.
The malicious actor would not be able to drag and drop their malware in without the Notepad++ certificate. The signature wouldn't match.
The certificate is not only doing authentication of the developer, but it is also doubling as an integrity check to make sure the code hasn't been modified.
load more comments
(6 replies)
How are they doing it now, then?
The answer to that question is honestly super complicated, and it has its own job title tbh. Managing code signing certificates can be really complex depending on the software.
This gist kinda covers the basics
https://gist.github.com/MangaD/e8f67fb39a35abdbf4ad26711c5957cc
load more comments
(2 replies)
Cryptography is hard and programmers are notoriously really really really bad at it.
load more comments
(1 replies)
Note on timelines: The security exper’s analysis indicates the attack ceased on November 10, 2025, while the hosting provider’s statement shows potential attacker access until December 2, 2025. Based on both assessment, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated.
I'm only aware of the one (somewhat extended) time described in the article. The dev(s?) has been upfront about what happened and provided updates as they learned more information, hence multiple headlines on the subject.
With these changes and reinforcements, I believe the situation has been fully resolved. Fingers crossed.
Once
Notepad++ Hijacked by State-Sponsored Hackers
Links to notepad-plus-plus.org
Yea idk enough about to computers to know if I should click that or not...
So the exploit redirected update traffic. Does that mean anyone who ran updates in that time period could have downloaded a compromised version and their machine would be infected?
Why isn't that covered in the post?
First thing I do every time I (manually) update notepad++ is turn off automatic updates. Automatic updates are the root of all evil
But what about all the new and exciting features?! What if they come out with more letters, then who will be laughing? Likely still you but hey automagic programs are standard right?
load more comments
(1 replies)
Worth noting this is not a new vulnerability, it's an analysis of a vulnerability disclosed in December:
Following the security disclosure published in the v8.8.9 announcement
https://notepad-plus-plus.org/news/v889-released/
the investigation has continued in collaboration with external experts and with the full involvement of my (now former) shared hosting provider.According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org. The exact technical mechanism remains under investigation, though the compromise occured at the hosting provider level rather than through vulnerabilities in Notepad++ code itself.
The incident began from June 2025. Multiple independaent security researchers have assessed that the threat acotor is likely a Chinese state-sponsored group, which would explain the highly selective targeting obseved during the campaign.
I do kind of wonder about the emacs package management infrastructure system. Like, if attacking things that text editors use online is an actively-used vector.
Someone almost managed to inject a vulnerability into the source code for sshd. They planned it for years, and it was only caught because someone noticed unusually high network traffic. Any vulnerability into a core package like that could be massive. Notepad++ is a little smaller, but this is still one of the bigger hacks of the decade.
Someone almost managed to inject a vulnerability into the source code for sshd.
You're probably thinking of the Jia Tan attack on xz; because of a distro patch in Debian, code in xz had the ability to affect sshd. The changes weren't actually to the sshd source, but trying to use an obscure route to affect sshd.
Well now I'm nervous! My first instinct though is that the vast majority of Emacs packages are plain elisp, and Emacs users have a habit of cracking open and tinkering with their packages, so any malicious code ought to be spotted quickly.
With the native compiled modules however, it could be another story...
load more comments
(1 replies)
It bothers me that there are so many typos in this post. Doesn't N++ have spellcheck?
Maybe that was in an update.
Funny. (Offered since 2015, last update was in 2023)
Yeah, not like we are reading about how "According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org."
But maybe the endless need for autoupdates on everything (in this case N++) will be the end of secure software. Ironic.
Wait, are you saying that the attacks in 2025 possibly disabled the devs spellcheck?
Ha! Unlikely, but having a notepad program have automatic updates by default is just about dumb enough that I could see it.
For sure
It does have ninjas though.
shoutout to evilsocket! nothing like this ever gets access with opensnitch
view more: next ›
this post was submitted on 02 Feb 2026
317 points (99.4% liked)
Programming
25285 readers
535 users here now
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Rules
- Follow the programming.dev instance rules
- Keep content related to programming in some way
- If you're posting long videos try to add in some form of tldr for those who don't want to watch videos
Wormhole
Follow the wormhole through a path of communities !webdev@programming.dev
founded 2 years ago
MODERATORS