Notepad++ hijacked by state-sponsored actors

So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?

Anyway, I hope the author can be a bit more specific about what actually has happened to those unlucky enough to have received these malicious updates. And perhaps a tool to e.g. do a checksum of all Notepad++ files, and compare them to the ones of a verified clean install of the user's installed version, would be a start? Though I would assume these malicious updates would be clever enough to rather have dropped and executed additional files, rather than doing something with the Notepad++ binaries themselves.

And I agree with another comment here. With all those spelling mistakes that notification kind of reads like it could have been written by a state-sponsored actor. Not to be (too) paranoid here, but can we be sure that this is the actual author, and that the new version isn't the malicious one?

Probably related to this: https://notepad-plus-plus.org/news/v869-about-taiwan/

> Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests.

I'd be curious to know if there was any pattern as to which users were targeted, but the post doesn't go into any further detail except to say it was likely a Chinese state-sponsored group.

It looks like using Chocolatey [1] saved me from this attack vector because maintainers hardcode SHA256 checksums (and choco doesn't use WinGuP at all).

[1]: https://chocolatey.org/

i always worry about tools like this, maintained by small teams, that are so universal that even if only a small fraction of installs are somehow co-opted by malicious actors, you have a wide open attack surface on most tech companies.

e.g. iTerm, Cyberduck, editors of all shades, various VSCode extensions, etc.

Wow. I'd love to know more how the targeted systems were actually compromised.

This all fascinating, but in the end: I have notepad++; what should I do?

Vindicated once again for turning off any update checks the moment I install any new piece of software.

Even if this sort of (obviously rare) attack is not a concern, it baffles me how few otherwise-intelligent people fail to see the way these updaters provide the network (which itself is always listening, see Room 641A and friends) with a fingerprint of your specific computer and a way to track its physical location based on the set of software you have installed, all of which want to check for updates every goddamn day.

Can someone help clarify this for me?

Is it correct to say that users would only get the compromised version if they downloaded from the website?

Notepad++ has auto-update feature, is there any indication that updates from the AutoUpdate were compromised?

So what mitigations should the end user be doing? How do we know if anything compromised?

So the hosting provider was hacked? Who was their hosting provider?

This is also why update signatures should be validated against a different server; it would require hackers to control bother servers to go undetected

Not notepad++! (Opens WhatsApp) OpenClawd express my discontent across all my channels and draft an email to send to IT tomorrow morning. Also turn off the lights off and go to bed. (Somewhere in china, all the lights go out)

I don't think "we" would have been impacted since this specifically targets the updates, but recently Microsoft pulled Notepad++ from the list of apps we can use on our production management laptops. Some people were annoyed and whining about this. That predated this announcement by a few weeks. Probably the right move by the security folks.

> With these changes and reinforcements, I believe the situation has been fully resolved. Fingers crossed.

I get that this is a difficult situation for a small developer, but ending with this line did not fill me with confidence that the problem is actually resolved and make me trust their software on my system.

The article is not very clear.

Which versions where affected and how can people check if they have the infected version?

Oh interesting, we had an internal mandate not to use Notepad++ come down from on high that was never explained. The timing matches up

If you update via Winget, you are probably safe.

Winget downloads the installer from GitHub: https://github.com/microsoft/winget-pkgs/blob/master/manifes...

For a while, I've been thinking that open source package portals will at some point take over making of binaries that get released. Dev teams will run their own CI with whatever automated test pipelines they think is appropriate. For a tests-pass situation and will pass the git hash to the portal system for release, which just runs compile and making the binary. Well, not all CI runs would result in a release, of course. Then the package portal's own software kicks in to calculate an independent since-last-release report that's attached alongside the maintainer release notes.

All such portals upgrade their hash/sig noting of binaries, and keep those in a history retaining merkle tree of sorts. Of nothing, else a git repo. Something like this https://github.com/hboutemy/mcmm-yaml/blob/master/aws/sdk/ko... but with SHA256s, and maybe not the entire world on one repo.

Notably Notepad++ was recently shipping unsigned/self-signed updates, apparently overlapping with the time of this incident, see releases 8.8.2-8.8.6: https://notepad-plus-plus.org/news/

I’m on version 8.8.8, which says a lot.

This time I unfortunately have to move on from Notepad++. Vibes have been negative for a while but out of inertia (and because there weren't obvious alternatives) I never pulled the trigger. Now it's time. The trust is gone.

Thanks NP++ for being free and useful for so many years.

Can anyone suggest a solid alternative on Windows? I'm fine with Linux and macOS but I have to keep a Windows machine around for some legacy, win only, software.

Maybe Sublime Text could be an option? At this point I'd rather pay for something lightweight, fast, and probably better.

I don't like tooling that increases my exposure to bad state actors (whatever state they're from).

It's ridiculous that any software developed by any developer on Earth can now claim to have been attacked by hackers supported by a certain country.

Many large companies allow employees to install software from the internet on their work laptops. How do they avoid being regularly hacked this way (presumably NPP is far from being the only one at risk, and presumably the money from theft of corporate secrets attracts skilled and motivated hackers).

That's sad. China should be more helpful with regards to open source.

Notepad++ is a great editor. I don't use it on Linux, because I have an older editor I am very used to, but on Windows I like notepad++ a lot (though lately I have been using geany on Windows, mostly for convenience - I think notepad++ is better but I sort of like the github-based development of geany; either way notepad++ is really excellent as well).

> Additionally, the XML returned by the update server is now singed (XMLDSig)

XMLDSig is notoriously difficult to implement correctly and securely, I hope this doesn't backfire.

What was the impact of being compromised? Were they able to inject code into releases of Notepad++?

Just downloaded NP++ for my new PC.

> Additionally, the XML returned by the update server is now singed (XMLDSig)

The latest and greatest cryptography powering everyone’s favorite SAML-based single-sign on.

I wonder who the targets were/what the malicious binaries did. Assuming some gov related shop + sent the contents of files on the host to attackers.

Would've been good if it named the hosting provider. That's the most informative part.

why does this read like it was written by a state-sponsored actor

I've been thinking a lot lately about open source.

It seems to be a lot like the communism - sounds great on paper but we are yet to see a proper implementation.

Between GIT, Linux and SQLite there are a few projects that has been led by weirdos that have time, resources and conviction to drive these through time.

Unless you create some sort of a an auxiliary business and get an acquihire deal most things will fizzle out.

Years ago when I started working for BigCo I was amazed by their denial of FOSS. At one point in the project I pointed out a problem, which was heard and recognized, to which I followed up with a solution using an open source package. I thought I was clever - we needed an extra package in our system, but I was able to find a suitable open source solution that would not add to the overall cost of the project. My proposal was immediately pushed back.

Initially I thought it was due to responsibility issue - if we'd employ a FOSS solution we'd be responsible for the outcome. Having a 3rd party vendor the management would have the opportunity to shell themselves.

But that doesn't have to be the case. The FOSS project could easily fizzle out. And if we don't have enough resources to incorporate it and make it our own, we can potentially risk being left out to dry.

So they say at the provider level update traffic was redirected . Does this also mean their update endpoints didn’t do encryption?

Will malware/virus scanners detect any bad software?

Shared hosting for this, really? Fascinating.

What’s a good alternative?

So uhh... what exactly did the "state-sponsored actors" do?

They go on about how their server was compromised, and how the big bad Chinese were definitely behind it, and then claim the "situation has been fully resolved", but there is zero mention of any investigation into what was actually done by the attackers. Why? If I downloaded an installer during the time they were hacked, do I have malware now?

The utter lack of any such information feels bizarre.

Another popular project I can think of to look out for is PuTTY. I'm fond of 2006 vibe, but Github probably has stronger security protections.

How scintilla-ating!

I love Notepad++ but for some reason it always had some kind of political BS going on and I don't appreciate that.

Job well done!

[dead]

[flagged]

[flagged]

[flagged]

I'm extremely wary about any application pushing politics.

I subscribe to MacPaw, who makes excellent apps like Setapp, Gemini, and CleanMyMac, all of which I use.

At some point, CleanMyMac started putting the Ukranian flag on the app icon and flagging utilities by any Russian developer as untrustworthy (because they are russian), and recommended that I uninstall them.

I am not pro russia/anti-ukraine independence by any means, but CleanMyMac is one of those apps that require elevated system permissions. Seeing them engage in software maccarythism makes me very, very hesitant to provide them.

Well, the update in Notepad++ was the single annoying thing and I made sure I turned it off as the first thing after the install. It was terribly annoying, interrupting my workflow every often so I have no idea how others managed. Why should it decide when to upgrade anyway? It's a notepad! Why should I even bother to upgrade? Everything I need is already there! A piece of software like this one shouldn't be allowed to send out traffic by default anyway, it should be opt-in.