Hacker News

Notepad++ hijacked by state-sponsored actors

2026-02-021:59917519notepad-plus-plus.org

2026-02-02 Following the security disclosure published in the v8.8.9 announcement https://notepad-plus-plus.org/news/v889-released/ the investigation has continued in collaboration with external…

2026-02-02

Following the security disclosure published in the v8.8.9 announcement
https://notepad-plus-plus.org/news/v889-released/
the investigation has continued in collaboration with external experts and with the full involvement of my (now former) shared hosting provider.

According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org. The exact technical mechanism remains under investigation, though the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled malicious update manifests.

The incident began in June 2025. Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign.

An incident-response (IR) plan was proposed by the security expert, and I facilitated direct communication between the hosting provider and the IR team. After the IR team engaged with the provider and reviewed the situation, I received the following detailed statement from the provider:

Dear Customer,
We want to further update you following the previous communication with us about your server compromise and further investigation with your incident response team.
We discovered the suspicious events in our logs, which indicate that the server (where your application https://notepad-plus-plus.org/update/getDownloadUrl.php was hosted until the 1st of December, 2025) could have been compromised.
As a precautionary measure, we immediately transferred all clients’ web hosting subscriptions from this server to a new server and continued our further investigation.
Here are the key finding points:
1. The shared hosting server in question was compromised until the 2nd of September, 2025. On this particular date, the server had scheduled maintenance where the kernel and firmware were updated. After this date, we could not identify any similar patterns in logs, and this indicates that bad actors have lost access to the server. We also find no evidence of similar patterns on any other shared hosting servers.
2. Even though the bad actors have lost access to the server from the 2nd of September, 2025, they maintained the credentials of our internal services existing on that server until the 2nd of December, which could have allowed the malicious actors to redirect some of the traffic going to https://notepad-plus-plus.org/getDownloadUrl.php to their own servers and return the updates download URL with compromised updates.
3. Based on our logs, we see no other clients hosted on this particular server being targeted. The bad actors specifically searched for https://notepad-plus-plus.org/ domain with the goal to intercept the traffic to your website, as they might know the then-existing Notepad++ vulnerabilities related to insufficient update verification controls.
4. After concluding our research, the investigated security findings were no longer observed in the web hosting systems from the 2nd of December, 2025, and onwards, as:
* We have fixed vulnerabilities, which could have been used to target Notepad++. In particular, we do have logs indicating that the bad actor tried to re-exploit one of the fixed vulnerabilities; however, the attempt did not succeed after the fix was implemented.
* We have rotated all the credentials that bad actors could have obtained until the 2nd of September, 2025.
* We have checked the logs for similar patterns in all web hosting servers and couldn’t find any evidence of systems being compromised, exploited in a similar way, or data breached.
While we have rotated all the secrets on our end, below you will find the preventive actions you should take to maximize your security. However, if below actions have been done after the 2nd of December, 2025, no actions are needed from your side.
* Change credentials for SSH, FTP/SFTP, and MySQL database.
* Review administrator accounts for your WordPress sites (if you have any), change their passwords, and remove unnecessary users.
* Update your WordPress sites (if you have any) plugins, themes, and core version, and turn on automatic updates, if applicable.
We appreciate your cooperation and understanding. Please let us know in case you have any questions.

TL;DR
According to the former hosting provider, the shared hosting server was compromised until September 2, 2025. Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers. The attackers specifically targeted the Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++. All remediation and security hardening was completed by the provider by December 2, 2025, successfully blocking further attacker activity.

Note on timelines: The security expert’s analysis indicates the attack ceased on November 10, 2025, while the hosting provider’s statement shows potential attacker access until December 2, 2025. Based on both assessments, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated.

To address this severe security issue, the Notepad++ website has been migrated to a new hosting provider with significantly stronger security practices.
Within Notepad++ itself, WinGup (the updater) was enhanced in v8.8.9 to verify both the certificate and the signature of the downloaded installer. Additionally, the XML returned by the update server is now signed (XMLDSig), and the certificate & signature verification will be enforced starting with upcoming v8.9.2, expected in about one month.

I deeply apologize to all users affected by this hijacking. I recommend downloading v8.9.1 (which includes the relevant security enhancement) and running the installer to update your Notepad++ manually.

With these changes and reinforcements, I believe the situation has been fully resolved. Fingers crossed.

Edit (February 2, 2026): I’ve got a lot of emails requesting the IoC (Indicator of Compromise). I unfortunately do not have any IoCs to share. Our IR team spent a week analyzing roughly 400 GB of server logs provided by the former hosting provider. While signs of an intrusion were identified, no concrete indicators of compromise - such as binary hashes, domains, or IP addresses - were found. We also requested IoCs directly from the former hosting provider, but we were not able to obtain any.

Edit 2 (February 3, 2026 minight): Last evening I received an email from Ivan Feigl (Rapid7) to share their excellent investigation story - it seems to be the same story, and obviously, they have more tangible information (including IoCs) than I do.

Edit 3 (February 3, 2026 7:55 PM): More technical information & IoCs from Kaspersky: https://securelist.com/notepad-supply-chain-attack/118708/

Edit 4 (February 5, 2026 4:12 AM): IoCs provided by our former hosting provider: please check: Important Clarification: Notepad++ Security Incident


Read the original article

mysterydip

Karma: 7682
...
 @Hacker__News
@hacker._news

Comments

  • By Saris 2026-02-0216:374 reply

    I guess my habit of running a firewall and not allowing programs to access the internet unless they actually need it is helpful for stuff like this.

    Absolutely no reason a text editor needs internet access.

    I only update stuff through winget, which fetches the installer from github in a lot of cases, and changing a package requires a PR to the winget repo AFAIK. Not foolproof of course though.

    • By Pet_Ant 2026-02-0217:285 reply

      Checking for updates and pulling in plug-ins. Both are valid.

      • By thegrim000 2026-02-033:421 reply

        As for updates - my OS has a built-in package management system, which is responsible for installing and updating packages. Why should notepad++ bypass that and do its own independent update process?

        • By maronato 2026-02-0314:431 reply

          Because other OSs do not and the notepad++ team wants all users to have a similar experience.

          If you don’t need auto updates, just disable them.

          More importantly, notepad++ being able to update itself is not the exploit here. Your OS’ package manager would download the same compromised binary as notepad++’s built in updater.

          • By Saris 2026-02-1017:02

            What OS doesn't have a package manager now? Windows, Linux, and MacOS all have their own systems.

            On windows, the package manager downloads the release of notepad++ directly from github, so it would not have been compromised. The hijack was done on the notepad++ website at the webhost level as I understand it, and the built in updater pulled from there.

      • By Bender 2026-02-0218:14

        A browser can download updates and plugins to be installed locally. I too do not want all my apps making internet connections. Sandboxes / namespaces can help a little.

      • By Saris 2026-02-0219:52

        I think these days updates through the OS package manager is a better option, windows has had winget for 5+ years now, and obviously linux and macos both have their own established systems.

      • By MisterTea 2026-02-0218:50

        It's because of issues like these that I do not agree with your statement of validity. It's also cheaper code wise to not have these contraptions.

      • By hulitu 2026-02-0310:57

        > Checking for updates

        Why ? CADT ?

    • By sciencejerk 2026-02-0219:073 reply

      LittleSnitch is great for MacOS; it is easily configured to alert you every time your machine makes ip/domain connections, which can then be accepted, denied, or rules made

      • By np1810 2026-02-0219:433 reply

        > LittleSnitch is great for MacOS; it is easily configured to alert you every time your machine makes ip/domain connections, which can then be accepted, denied, or rules made

        For an open-source alternative, consider checking out - Lulu [0]. It's not as feature rich nor has impressive UI like the former but gets the main work done.

        [0] https://github.com/objective-see/LuLu

        • By addandsubtract 2026-02-039:12

          It's not open source, but I can also recommend Vallum[0] as a cheaper alternative to LittleSnitch.

          [0] https://www.vallumfirewall.com/

        • By nonamenoslogan 2026-02-0220:021 reply

          I use LuLu, it works great. Its kept my older versions of Photoshop and Acrobat from complaining and showing me ads for newer versions for the last couple years!

        • By XdekHckr 2026-02-0320:01

          Are you for realy using apple products? Yuh...

      • By TwoNineFive 2026-02-037:00

        Binisoft WFC for Windows is a free outbound firewall. It was acquired by MalwareBytes awhile back, but they have not interfered with development so far.

        https://www.binisoft.org/wfc.php

        It has some areas where improvement is needed, but the fundamentals work and the user interface design is decent.

        I am surprised it's not more popular for Windows users. All of the alternatives I've tried have critical issues which made me dismiss them as unserious.

      • By Saris 2026-02-0219:49

        Yeah I've been using Fort on windows, it's easy to use and not closed source and full of bloat like the commonly suggested windows firewalls from various security companies.

    • By drumttocs8 2026-02-0320:051 reply

      Malwarebytes Windows Firewall Control may annoy me sometimes, but this is exactly why I run it.

      • By Saris 2026-02-0320:36

        It shouldn't! Fort just flashes the tray icon if there's a new connection request and you can click it whenever you want, instead of a popup in your face in the middle of something.

    • By just_testing 2026-02-0219:022 reply

      Which firewall software do you use? I should probably start using firewalls in my computers as well...

      • By Saris 2026-02-0219:482 reply

        I've been using Fort: https://github.com/tnodir/fort

        It's the best one I found after trying a few, because it's pretty easy to use, and lets me disable notification popups which is a part that always frustrates me about other options.

        • By valbu 2026-02-0223:202 reply

          Why am I hearing about that specific FW in year 2026, this seems really good, at least the features written if it really supports rules based on parent processes, wildcards, SvcHost granularity without gotchas. Been wrangling with Windows FW for ages, trying to get some badly behaved programs to update like Discord, Teams and others that change install paths or updater executable names or hiddenly use msedgewebview2. PolicyAppId and tagging based rules have given some success but Windows FW is still really broken. Definitely giving Fort a try.

          • By batat 2026-02-0313:08

            > A "Core Isolation: Memory Integrity" feature of Windows 10+ prevents creating such memory area (leading to BSOD).

            > We tried to attestation sign the driver via new EV certificate by MS to fix the driver's limitation, but failed (see #108).

            > So for now users have to disable the "Core Isolation: Memory Integrity" feature

            Disabling HVCI doesn't sound like a good idea honestly. I mean they abuse kernel memory protection to bypass EV Certificate restrictions leaving the system in a state where another driver can mess with FW's internal structures using the same trick.

          • By Saris 2026-02-030:08

            It's quite good! It definitely deserves to be more popular, I hope it gets some more recognition.

            Wildcards are great, like you said for those apps that change the directory name every single update.

        • By just_testing 2026-02-1016:57

          Thank you!!

      • By batat 2026-02-0312:57

        It doesn't matter really because nowadays all of them are just a front-ends to Windows Firewall.

        Also legitimate software (i.e. firewall/AV) cannot use "oldschool" tricks like system service descriptor table hooks to obtain godlike privileges these days, while malware sometimes can do this by exploiting vulnerabilities, so in such cases it may be an unequal fight.

  • By edb_123 2026-02-024:1810 reply

    So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?

    Anyway, I hope the author can be a bit more specific about what actually has happened to those unlucky enough to have received these malicious updates. And perhaps a tool to e.g. do a checksum of all Notepad++ files, and compare them to the ones of a verified clean install of the user's installed version, would be a start? Though I would assume these malicious updates would be clever enough to rather have dropped and executed additional files, rather than doing something with the Notepad++ binaries themselves.

    And I agree with another comment here. With all those spelling mistakes that notification kind of reads like it could have been written by a state-sponsored actor. Not to be (too) paranoid here, but can we be sure that this is the actual author, and that the new version isn't the malicious one?

    • By hinkley 2026-02-024:235 reply

      This reminds me of college, when some of my professors were still sorting out their curriculum and would give us homework assignments with bugs in it.

      I complained many times that they were enabling my innate procrastination by proving over and over again that starting the homework early meant you would get screwed. Every time I'd wait until the people in the forum started sounding optimistic before even looking at the problem statement.

      I still think I'd like to have a web of trust system where I let my friends try out software updates first before I do, and my relatives let me try them out before they do.

      • By Nition 2026-02-025:102 reply

        Ah, I remember those days. One that wasn't an error exactly was an assignment that had a word limit of 2000 words or something. I'd written maybe 3000 words and spent quite some time cutting it down, getting it to just under the limit. Then someone else who also wrote too many words asked the professor if that was okay and they sent out an update to everyone saying it's fine to ignore the word limit.

        • By whywhywhywhy 2026-02-029:34

          You were working within the system of academia, the other student in the system of the real world.

        • By nxpnsv 2026-02-025:351 reply

          So you accidentally learned how to edit a text? Sounds like a win to me…

          • By Nition 2026-02-025:40

            That's a nice positive way to view it. I would even say that was probably intended as a feature of the original assignment brief.

      • By skeledrew 2026-02-0213:582 reply

        > let my friends try out software updates first before I do

        And who do they let try the software before they do? And so on... Where does it ended?

        • By hinkley 2026-02-031:30

          There's a few months every year when I'm feeling brave or crazy. We could take turns.

          The thing is that most supply chain attacks are going to hit you when you are least prepared to deal with them, because that's exactly how they get you. When you're distracted.

          Upgrades are deep work, but the commands to start them feel like shallow work.

        • By timbit42 2026-02-0217:38

          There is always a fresh group of people who haven't learned that lesson yet acting as the guinea pigs.

      • By dec0dedab0de 2026-02-0215:231 reply

        They should have just gave out extra credit for finding bugs.

        • By QuiEgo 2026-02-0216:36

          I had a professor who did this. One letter grade bump *after curve* applied per assignment per bug found (reproduce case and fix required).

          Loved that class.

      • By ozim 2026-02-025:061 reply

        For windows updates r/sysadmin has people who run updates and post their experience on patch Tuesday.

        • By Melatonic 2026-02-026:54

          You can delay by a week or two very easily and automatically as well

      • By greazy 2026-02-029:491 reply

        I work in a lab as an analyst (bioinformatician), we are register and pay for quality assurance programs that contain an embarrassing about of technical errors.

        • By wiether 2026-02-0210:033 reply

          > an embarrassing about of technical errors

          amount? ;)

          • By hinkley 2026-02-031:31

            Autocorrect makes us all sound like jackasses these days. Have some pity.

          • By greazy 2026-02-0522:35

            Haha I laughed after reading your comment and mine.

            Yep auto correct got me good.

          • By Gander5739 2026-02-0210:11

            Number?

    • By tasuki 2026-02-027:212 reply

      > So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?

      Is this surprising? My model is that keeping with the new versions is generally more dangerous than sticking with an old version, unless that old version has specific known and exploitable vulnerabilities.

      • By illiac786 2026-02-027:345 reply

        Yes, it is very much atypical. Most hacks happen because admins still haven’t applied a 2 years old patch. I hate updates, but it‘s statistically safer that running an old software version. Try exposing a windows XP to the internet and watch how long it takes before it‘s hacked.

        • By card_zero 2026-02-027:483 reply

          Debatable. "I connected Windows XP to the Internet; it was fine" - https://news.ycombinator.com/item?id=40528117

          One comment there points out that XP is old enough for infected attack vectors to have all died out. I dunno.

          • By expedition32 2026-02-0211:421 reply

            Anyone else noticed that we don't even GET patch notes anymore?

            "Fixed some bugs" Yes thank you very helpful that! Now I can make a very informed decision.

            • By latexr 2026-02-0220:421 reply

              I hate that. “Bug fixes and improvements” every time. And then there are the ones who think they’re being cute with “our bird Fernando has been hard ar work eating those nasty bugs and flying over the rainbow to bring you an ever delightful experience”. Just, no. I don’t mind you flexing some creative writing muscles in your release notes if you provide actual clear information, but if you’re going to say nothing like everyone else, might as well use the same standard useless message so I can dismiss it quick.

              • By Breza 2026-02-0614:36

                Yes! Mobile apps are the worst about this. As a rule, I don't update any apps unless I have a clear reason to do so.

          • By bigfatkitten 2026-02-028:34

            I experienced this first hand in 2014. We got to a point where drive-by exploit kits just weren’t shipping IE8, Java 6 or Windows XP payloads anymore.

          • By illiac786 2026-02-028:091 reply

            https://www.tomshardware.com/software/windows/idle-windows-x...

            But good we are talking about my point rather than than the example.

            • By badsectoracula 2026-02-029:022 reply

              > YouTuber Eric Parker demonstrated in a recent video how dangerous it is to connect classic Windows operating systems

              The video referenced in that article explicitly connects directly to the internet, using a VPN to bypass any ISP and router protections and most importantly disables any protections WinXP itself has.

              So yeah, if you really go out of your way to disable all security protections, you may have a problem.

              • By conorcleary 2026-02-0211:06

                Like leaving the lid off of my typewriter at lunchtime :-o

              • By illiac786 2026-02-0217:54

                That’s still the example, not my point.

                My point is, statistically, it is more secure to install updates as fast as possible.

                We can take another example: search for “shitrix”, there’s thousands more CVEs out there to use as example.

        • By thegrim000 2026-02-033:441 reply

          You assume that the old software version has critical vulnerabilities. If it does not, then yes, updating is more of a risk since the new versions are unknowns.

          • By illiac786 2026-02-033:48

            My assumption is statistical. All software has critical vulnerabilities, not just the old ones. It’s just that these vulnerabilities are known, in the case of the old ones, which significantly increases the risk.

        • By pibaker 2026-02-0222:11

          To be fair I doubt there are that many people scanning for internet facing XPs in 2026.

          On the other hand, any server running old, unpatched versions of apache or similar will get picked up by script kiddies scanning for publicly known vulns very, very fast.

          The notepad++ attack is politically targeted and done through unconventional channels (compromise in the hosting provider). I don't think 99% of the people reading this thread has a comparable threat model.

        • By tasuki 2026-02-0214:011 reply

          I don't know about Windows, but I've been running all kinds of outdated Linux (Debian mostly) and it never once caused a security problem.

          • By pxc 2026-02-0214:46

            Debian backports security patches.

        • By bulbar 2026-02-0217:20

          It depends if the application itself touches the Internet or only when conducting updates.

          The threat model for a server and for a personal computer are very different. On a consumer device, typically only the OS mail app and browser have direct contact with the outside world.

      • By slumberlust 2026-02-0212:23

        Steve from Security Now podcast has been specifically using Notepad++ as an example of not being able to leave good enough alone for years now. Can't wait to hear him claim his told you so next week.

        Love notepad++ and will continue to use it.

    • By FatalLogic 2026-02-026:102 reply

      >I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?

      Notepad++ site says The incident began from June 2025.

      On their downloads page, 8.8.2 was the first update in June 2025 (the previous update 8.8.1 was released 2025-05-05)

      So, if your installed version is 8.8.1 or lower, then you should be safe. Assuming that they're right about when the incident began.

      edit: Notepad++ has published, on Github, SHA256 hashes of all the binaries for all download versions, which should let users check if they were targeted, if they still have the downloaded file. 8.8.1 is here, for example - https://github.com/notepad-plus-plus/notepad-plus-plus/relea...

      • By JoystickX02 2026-02-0212:00

        Just checked my 8.7.9 that I installed in April 2025 and never updated. The hash seems to be identical to the version I installed around that time. Seems like it was a good choice to always skip the Update Dialog when using Notepad++ lol.

      • By z3t4 2026-02-027:54

        Older download links doesn't seem to work!?

    • By 1vuio0pswjnm7 2026-02-0215:17

      "So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?"

      This is true for a large number of software "security" issues

      A software version earlier in date/time is not necessarily inferior (or superior) to a version later in date/time

      As it is "updated" or rewritten,, software can become worse instead of better, or vice versa, for a vaariety of reasons

      Checking software's release date, or enabling/allowing "automatic updates" is not a substitute for reading source code and evaluating software on the merits

    • By otherme123 2026-02-026:441 reply

      > And perhaps a tool to e.g. do a checksum of all Notepad++ files, and compare them to the ones of a verified clean install of the user's installed version, would be a start?

      Did I understand the attack wrongly? The software could have a 100% correct checksum, because the attack happened in a remote machine that deals with call home events from Notepad++, I guess one of those "Telemetry" add-ons. The attackers did a MITM to Notepad++ traffic.

      • By tempestn 2026-02-027:081 reply

        The remote machine that was compromised was responsible for Notepad++ updates, so the concern is that it could cause a compromised version of the software to be installed. But if it could do that, it could probably cause anything to be installed anywhere on the user's machine, so inspecting the installed N++ binary probably wouldn't be too useful.

        • By 7bit 2026-02-0211:51

          Checksums are useless in this case. The binary would have to be signed and the installation routine would have to check that the new binary would have been signed with the certificate. That adds complexity, but would have thwarted this specific attempt.

          However, there are ways around this, too. No solution is perfect.

    • By bulbar 2026-02-0217:12

      I disable auto update for everything that does not have direct contact with the Internet otherwise (mail app, browser, OS, router,...). Probability for some random app being exploited because updates were skipped is insignificant compared to the probability of a malicious update.

      Updates are a direct connection from the Internet to your computer. You want to minimize that.

      Just do a manual update from time to time.

    • By jollyllama 2026-02-0416:19

      Yes, of course you're safer. If your system is working as desired, updates can only break it. This is just Engineering 101, but for whatever reason, all logic is abandoned on the topic of security updates.

    • By user3939382 2026-02-025:33

      If there’s anything I’ve learned from IBM, Red Hat, and CentOS, it’s that bleeding edge is actually what I’m supposed to want.

    • By FpUser 2026-02-025:561 reply

      8.4.7 here. phew

      • By topspin 2026-02-026:02

        8.5.7 here (built Sept 6, 2023)

        Now I need to worry about this one. I've been anxious about vscode lately: apparently vscode extensions are a dumpster fire of compromises.

    • By beached_whale 2026-02-0215:50

      lol, im on 7.3.x for extra safety

  • By Helmut10001 2026-02-024:571 reply

    It looks like using Chocolatey [1] saved me from this attack vector because maintainers hardcode SHA256 checksums (and choco doesn't use WinGuP at all).

    [1]: https://chocolatey.org/

HackerNews

About