this post was submitted on 02 Feb 2026
526 points (99.1% liked)

Technology

80503 readers
3838 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
526
Notepad++ Hijacked by State-Sponsored Hackers (notepad-plus-plus.org)
submitted 2 days ago by Beep@lemmus.org to c/technology@lemmy.world
91 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] HertzDentalBar@lemmy.blahaj.zone 8 points 1 day ago

This is why I don't update things that don't need updates. Untill I switched to Linux I had been using the same version for like a decade.

Also I'd imagine the American government is doing the exact same shit. Or rather Israel is doing it in behalf of the American government

[–] antlion@lemmy.dbzer0.com 13 points 1 day ago (3 children)

If I recall correctly this is the second time this has happened to N++. Fool me once… can’t get fooled again.

[–] dejected_warp_core@lemmy.world 6 points 1 day ago* (last edited 1 day ago) (1 children)

Three times++, actually. The second attack was documented to have resumed after the third, with different payload URLs.

https://securelist.com/notepad-supply-chain-attack/118708/

[–] antlion@lemmy.dbzer0.com 2 points 16 hours ago

I think I was remembering the CIA Wikileaks one which was a compromised DLL.

[–] cley_faye@lemmy.world 4 points 1 day ago

I've kind of stopped following things up since I left windows, but maybe you're remembering when this actually happened a while ago? This is just some in-progress post-mortem report.

[–] SaharaMaleikuhm@feddit.org 58 points 2 days ago (15 children)

China, Russia, the US, fucking Israel. They all piss me off so fucking much. Can't we live in a sane world just for a single fucking day?

load more comments (15 replies)
[–] bgb_ca@lemmy.ca 22 points 2 days ago (16 children)

And work bosses saw a news story on this and banned the app outright :( can anyone suggest a replacement that is not paid and has features useful for searching lots of large logs files quickly for keywords?

[–] Beyonder_Extreme@lemmy.world 19 points 2 days ago (1 children)

Kate

[–] MadPsyentist@lemmy.nz 5 points 1 day ago

+1 for Kate. I think its ment to be an acronym for KDE Advanced text editor but its a linux program that feels very close to notepad++ and will handle large files with gusto

[–] cley_faye@lemmy.world 2 points 1 day ago (2 children)

Notepad++ installed from any package manager was perfectly fine and safe.

[–] purplemonkeymad@programming.dev 3 points 1 day ago (1 children)

Well those would have included the update checker. So if you installed from a package manager, then let it update when prompted for the new version, you could still have been at risk.

[–] cley_faye@lemmy.world 1 points 22 hours ago

I don't know how most package managers on windows work, but usually, auto updates are disabled by default for software that comes from one. For example, Firefox installed using APT on various linux distro will not auto-update out of it.

I vaguely remember chocolatey packages not really doing that, causing mismatch between installed versions and its internal database, though, so maybe it wasn't that good of a solution.

load more comments (1 replies)
[–] nomecks@lemmy.wtf 2 points 1 day ago

Emacs

[–] helpImTrappedOnline@lemmy.world 7 points 1 day ago

Rename the shortcut to notepad++2?

[–] midas22@lemmy.wtf 1 points 1 day ago

I'm only using Sublime Text and the Notepad that is included with Windows. Not sure exactly what you're looking for.

[–] ohshit604@sh.itjust.works 9 points 2 days ago

VSCodium.

[–] xuteloops@lemmy.zip 1 points 1 day ago

NotepadQQ 😆

[–] mathemachristian@lemmy.blahaj.zone 8 points 2 days ago (1 children)

Emacs

[–] tehn00bi@lemmy.world 5 points 1 day ago* (last edited 1 day ago)

He’s asking for a text editor, not to join a cult. /s

load more comments (8 replies)
[–] Australis13@fedia.io 127 points 2 days ago

Oof. Kudos to Notepad++ for being up front with the details.

[–] HeyJoe@lemmy.world 51 points 2 days ago (3 children)

Yikes... i guess i am confused though. What data was being sent through this channel? What did they get from people while it happened and why did it take 2 months past them stopping it to finally make a release? I love the app, but this sounds really bad.

[–] cley_faye@lemmy.world 2 points 1 day ago

The software itself, and the devs, have little to nothing to do with this besides detecting the issue. Which was not obvious, since (it seems) the attack was targeted at specific IPs/hosts/places. It likely worked transparently without alteration for most users, probably including the devs themselves.

It also would only affects updates through the built-in updater; if you disabled that, and/or installed through some package managers, you would not have been affected.

A disturbing situation indeed. I assume some update regarding having adequately digitally signed updates were done (at least, I hope… I don't really use N++ anymore). But the reality is, some central infrastructure are vulnerable to people with a lot of resources, and actually plugging those holes requires a bit of involvement from the users, depending how far one would go. Even if everything's signed, you have to either know the signatory's public key beforehand or get a certificate that you trust. And that trust is derived from an authority you trust (either automatically through common CA lists, or because you manually added it to your system). And these authorities themselves can become a weak point when a state actor butts in, meaning the only good solution is double checking those certificates with the actual source, and actually blocking everything when they change, which is somewhat tedious… and so on and so on.

Of course, some people do that; when security matters a LOT. But for most people, basic measures should be enough… usually.

[–] elvith@feddit.org 93 points 2 days ago (10 children)

From my understanding: Basically the attackers could reply to your version check request (usually done automatically) and tell N++ that there were a new version available. If you then approved the update dialogue, N++ would download and execute the binary from the update link that the server sent you. But this didn't necessarily need to be a real update, it could have been any binary since neither the answer to the update check nor the download link were verified by N++

load more comments (10 replies)
load more comments (1 replies)
[–] MolochHorridus@lemmy.ml 25 points 2 days ago (5 children)

So should we at least uninstall our current Notepad++ and then download a new version? What else should we do, the post really doesn’t offer any advice.

[–] Kazumara@discuss.tchncs.de 24 points 2 days ago

In the old post from when the update was released a Heise article is linked, that contains indicators of compromise, and in turn links to Kevin Beaumont for the details of his analysis:

https://lemmy.zip/post/54712916
https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9

load more comments (4 replies)
load more comments
view more: next ›