Notepad++ hijacked by state-sponsored actors

Original Article ↗ Hacker News Discussion ↗

Technical nature of the compromise

  • Attack appears to be a classic supply‑chain MITM on the update infrastructure:
    • DNS/hosting for notepad-plus-plus.org was compromised; update traffic from some users was redirected to attacker‑controlled servers.
    • Older Notepad++ versions had “insufficient update verification”: self‑signed certificate with the private key in the public repo, and unsigned update manifests.
    • Attackers could return a malicious installer in response to the auto‑update check. Commenters note this means arbitrary code execution was possible.
  • Linked analyses say attacks were highly targeted, seemingly focused on a small group of Asian users with “hands‑on‑keyboard” follow‑up.
  • Many are frustrated that the official write‑up gives almost no detail on payload behavior, indicators of compromise, or victim profile.

Who was at risk and what to do

  • Consensus reading: if you were on ≤8.8.1 and did not auto‑update during roughly June–Dec 2025, you were probably not hit.
  • Anyone who updated via the built‑in updater during that window could have received a malicious binary; manual installs via package managers that pin hashes (Chocolatey, winget, distro repos) were likely safer.
  • Strong advice for those who think they were targeted: treat the machine as compromised (reinstall OS from trusted media, don’t reuse binaries).
  • No clear answer on whether AV/EDR would reliably detect this; people stress that scanners are reactive and incomplete.

Auto‑updates, signing, and small‑project risk

  • Many see this as a textbook example of:
    • Excessive/unnecessary auto‑update nagging.
    • Weak update signing practices (self‑signed cert in repo, unsigned manifests).
    • A small volunteer project running high‑value infrastructure on shared hosting.
  • Disagreement on tactics:
    • Some advocate disabling all auto‑updates and manually vetting updates or using package managers with checksums.
    • Others counter that staying unpatched is a much bigger real‑world risk than rare supply‑chain attacks.
  • Suggestions: proper CA‑issued code signing, HSMs, hardcoded keys in the client, reproducible builds, and having updates built/signed by third‑party package portals.

Attribution and “state‑sponsored” claims

  • The project and external researchers label the actor “likely Chinese state‑sponsored”, which:
    • Some accept based on targeting, C2 infrastructure, and the project’s prior Taiwan/Uyghur messaging.
    • Others see as speculative or potentially propagandistic; false‑flag possibilities and lack of shared technical evidence are noted.

Politics in and around software

  • Large subthread debates the Notepad++ maintainer’s history of political release names (Taiwan, Ukraine, Uyghurs):
    • One camp wants tools and documentation to be “apolitical” and resents political messaging in editors and utilities.
    • Another argues software and open source are inherently political (licensing, censorship, surveillance, war) and that using a popular tool as a protest platform is legitimate.
    • Some note that visible political stances can make a project a more tempting target, as here.
  • Meta‑discussion about “no politics”:
    • Some say asking for “no politics” is itself a political stance that favors the status quo and the already‑privileged.
    • Others insist it’s just a preference for topic‑focused spaces and mental respite, not support for any particular side.

Trust, hosting, and alternatives

  • Surprise that such a widely used editor relied on shared hosting and weak updater security; several call this “bound to be compromised” eventually.
  • Mixed reactions to the post’s tone and the closing “fingers crossed”: some appreciate the honesty; others say it undermines confidence and are dropping Notepad++.
  • Alternatives mentioned: Sublime Text, Kate, Gedit, Geany, vim/Neovim, etc.; some will stick with Notepad++, others say the trust is gone.