Notepad++ Compromised By State Actor (notepad-plus-plus.org)
- Reference: 0180721472
- News link: https://it.slashdot.org/story/26/02/02/1646253/notepad-compromised-by-state-actor
- Source link: https://notepad-plus-plus.org/news/hijacked-incident-info-update/
> Notepad++ claims to have been targeted by a state actor, given their previous stance on Uyghurs one can speculate about a candidate.
Notepad++, [2]in a blog post :
> According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org. The exact technical mechanism remains under investigation, though the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests.
[1] https://slashdot.org/~Luthair
[2] https://notepad-plus-plus.org/news/hijacked-incident-info-update/
Oh my! (Score:1)
At least it wasn't the MS app this time.
Intolerable state of affairs (Score:5, Insightful)
China already gets its way in forcing Hollywood and other big industries to self-sensor on its behalf, down to the individual level (e.g. sanctioning NBA teams if their members made a post in solidarity with the oppressed in Hong Kong).
But even when you have no business with China you still have to worry about what will happen to your business if you acknowledge their persistent genocide of the Uighurs?
This isn't a situation to passively accept.
Re: (Score:1)
It's really creative of the Chicoms to crack what is really a glorified text editor
That said, it would be nice if companies reverted from virtue signaling to becoming amoral i.e. not making value judgements and having just one mission - selling/popularizing their products. While Notepad++ may be justified in this case, there are a lot of cases where they'd risk alienating half their customer base - not good for business. One time when I had a sales gig, one thing we were taught: never discuss politics o
Re: (Score:2)
Well, that's the wise traditional rule - don't discuss politics or religion in polite company.
Which I suppose means /. is not polite company.
Re: Intolerable state of affairs (Score:2)
Or with family, which in my case is passive-aggressive-polite-but-wanting-to-kill-you-if-you-dont-acknowledge-that-trump-is-the-second-coming.
Re: (Score:2)
Can confirm. Am not polite.
Re: (Score:2)
I would be fine with this if massive corporations and the oligarchs that own them would also halt all political speech, donations, funding dark money PACs, etc. Unfortunately, that is never happen.
Re: (Score:2)
Why would you want to deny someone their right to speak about politics? Rich or poor, it is wrong to deny someone their rights.
Re: (Score:1)
I didn't say that the government should silence anyone. unixisc said "...it would be nice if companies reverted from virtue signaling to becoming amoral i.e. not making value judgements and having just one mission - selling/popularizing their products." and I said I would be fine with that as long as it doesn't just apply to mom & pop software companies like Notepad++ and also applies to giant corporations and the billionaire oligarchs that own them.
Re: (Score:2, Insightful)
Failure to take a overt stance on political issues isn't "apolitical". It's just aligning yourself with the politics of the status quo.
Re: (Score:2)
That "EVERYTHING MUST BE POLITICAL!" attitude is why the West is descending into a war of all against all.
Re: (Score:3)
So am I to understand you're overtly coming out against the politics of the "everything must be political" attitude? Interesting.
Re: (Score:2)
No, it's not. If someone says "I neither know nor care about this issue", that doesn't put that person on one side of that issue, or the other
Re: (Score:2)
> While Notepad++ may be justified in this case, there are a lot of cases where they'd risk alienating half their customer base - not good for business.
What business is that, pray-tell?
Re: (Score:2)
The business of wanting more people to use their software, presumably
Re: (Score:2)
I have a lot of software on github.
I've even got some code in the linux kernel.
I'm not in any business of "trying to get people to use my [ fucking free ] software."
I will not be silenced because you are upset that my software, that you find useful, was written by a person who will not be silent. Get the fuck over yourself.
Re: (Score:2)
China isn't forcing Hollywood to do anything. The movie execs suddenly realized a billion potential customers live there and cater to the market. It's business as usual.
Re: (Score:2)
Ya, I never understood how this was hard for people to grasp.
Kowtowing to China is literally just good capitalist sense. The dripping irony of people being upset by that is just bonus.
Re: (Score:1)
Why would you acknowledge something that is an USA media myth?
In China you get executed for serious crimes, like rape, murder, forced prostitution, kidnapping and hard cases of corruption.
No one is genociding a minority that is living in their own nearly completely sovereign sub state - only a retard would believe that.
Re: (Score:2)
Genocide is a bit of a stretch, but if you look at it sideways, it's also not far from the early signs of such intent.
Complaining about the use of that word is valid. However, you went above and beyond and fed us a pile of CCP apologetic horse-shit, and you should be ashamed of yourself for that.
A German denying a modern-day early holocaust isn't a good look.
[1]Educate yourself. [wikipedia.org]
[1] https://en.wikipedia.org/wiki/Xinjiang_internment_camps
How do we know ? (Score:2)
How do we know the site is not still hacked, and the blog message there does not contain a link to a compromised install file ?
Re: (Score:2)
It links to github repository. That hasn't been hacked according to the statement.
Re: (Score:3)
"That hasn't been hacked *according to the statement.*"
See what you did there ?
Re: (Score:2)
I do. That's why I also advocate for better messaging in this very thread.
But it's the best knowledge we have.
Re: (Score:1)
Very fair point. Tools should not be treated as vehicles for political statements. Nobody benefits from it. Whoever inserted the politics gets to feel (falsely) like they did something of value by stating their opinion in a place where opinions do not belong, and that's it.
Despite my agreement with the sentiment, I always thought it was improper for NP++ to take a side.
Ineffective statements don't draw attacks (Score:2)
If someone was offended enough by it to launch a cyberattack, then it very likely DID have an effect. It is very difficult to spread any kind of message in China that is not explicitly approved by the government. If the author (who charges nothing for this software) wants to use his small bit of influence to get a message out, that's his right. If you don't like it, that's your right too. You're free to use any software you wish.
Re: (Score:2)
The developer of Notepad++ has always used it as a platform for anti-PRC messages, though. If you don't agree with that kind of activism, maybe you shouldn't use it?
Re: (Score:2)
I would do that *if I was a mindless idiot who chose their text editor based on the fucking text editor's political position*.
But come on, there isn't anyone that stupid on Slashdot.
Is there ?
Re: (Score:2)
Your text editor is written by a person. A person has opinions.
If you don't like it, you can ask for a refund of $0 for what you paid for it, fuckstain.
Re: (Score:2)
Completely agree! Yet somehow, this concept is hard for /.ers to understand
calling home (Score:2)
Maybe if your software did not call home you wouldn't have a problem with people hijacking those calls.
Re: (Score:2)
Right, because if you have to click or type links to get to the software update page, that's a lot safer.
Re:calling home (Score:4, Insightful)
> Maybe if your software did not call home you wouldn't have a problem with people hijacking those calls.
Notepad++ was "calling home" to check if an updated version was available. It would "call home" automatically if you had auto-updater enabled, or if didn't have the auto-updater enabled, it would "call home" when you clicked the button to check for updates.
So what exactly is your issue with that behavior? If you don't think an application should "call home" to check for for new versions, where exactly do you think it SHOULD check?
Re: (Score:3)
> Notepad++ was "calling home" to check if an updated version was available. It would "call home" automatically if you had auto-updater enabled, or if didn't have the auto-updater enabled, it would "call home" when you clicked the button to check for updates.
> So what exactly is your issue with that behavior? If you don't think an application should "call home" to check for for new versions, where exactly do you think it SHOULD check?
Software should never call home and certainly not itself check for or install updates of itself. Users should perform these tasks as necessary OOB from application software.
People are creating massive houses of cards with these continuous automated updates that cost the vendor nothing but which continuously expose users to unwanted changes, bugs and security risk.
Re: (Score:2)
I don't agree, but a different method might have been better.
The main problem with the method used was a total lack of security. The obvious strategy would be to:
1. Force a secure connection where Notepad++ creates a tunnel using a public/private key pair, the public key being in Notepad++. This ensures that you're connecting to who you think you're connecting to. The download machine should not be directly on the Internet, nor should it be the webserver, it should be reached via a DMZed proxy where the pro
Re: (Score:2)
And the call mechanism was hijacked and used against users. Great stuff. If it didn't call home... I could still check for updates myself, and download them myself, and install them myself, just like I did the first time.
Re: (Score:2)
I am not the OP, but perhaps each vendor should not have to architect this function, since it is such a high security risk. Instead, use infrastructure like apt, yum, chocolatey, Windows Update, Steam, etc.
Re: (Score:3)
Go to the [1]source [notepad-plus-plus.org], read the revision history .
[2] previously [theregister.com]
[1] https://notepad-plus-plus.org/news/
[2] https://www.theregister.com/2019/10/31/notepad_china_spam/
Uyghurs again? (Score:1)
The Gaza genocide is over so we can without utter hypocrisy bring back the Uyghur genocide for geopolitical propaganda? Hold on not so fast. First of all the Uyghur genocide was *ethnic* genocide - with no, or few, people actually being killed. Second, even with the Gaza 'ceasefire' in place the killing is still going on: [1]https://www.youtube.com/watch?... [youtube.com] And little aid is getting in: [2]https://www.aljazeera.com/news... [aljazeera.com]
Looks like the notepad++ community also mentioned this Complete silence on Gaza and the t
[1] https://www.youtube.com/watch?v=Sw-7m75tIFg
[2] https://www.aljazeera.com/news/2025/12/30/israel-says-it-will-halt-operations-of-several-ngos-in-gaza
Re: (Score:1)
> First of all the Uyghur genocide was *ethnic* genocide - with no, or few, people actually being killed.
Were the organs being harvested unneeded spares? I guess Uyghurs don't need hearts or lungs or such.
Employer blocked it months ago... (Score:2)
My employer blocked NP++ several months ago company-wide, had everyone thinking what kind of security risk a simple text editor could actually expose....now we know.
Title (Score:4, Informative)
Notepad-plus-plus.org was compromised. Or Notepad++ website was compromised for brevity's sake.
Re: (Score:2, Insightful)
Came to say this. This title is sloppy at best, and misleading click-bait at worst.
Re:Title (Score:5, Interesting)
It's a little more than just a compromised website. NP++ is the #1 text editor, and malicious actors were able to redirect update requests. It's a very serious supply-chain attack. I have a tab in mine that's just passwords and API keys. Bad and very sloppy practice? Yes, but I did it anyway and shudder to think what may have happened if Chinese hackers were able to work out which keys had value for them.
I have now cleaned that up.
Re: (Score:1, Insightful)
Oh shut the fuck up you neckbearded butt humper.
Re: (Score:2)
> NP++ is the #1 text editor
The vi & emacs folks would like a word.
I prefer nano.
Re: (Score:2)
Emacs is an OS with built-in editor.
Vi is psychological warfare, but I'm insane enough to actually like it.
Re: (Score:2)
If you liked VI's madness... you'll LOVE TECO's!
Re:Title (Score:5, Informative)
> Or Notepad++ website was compromised for brevity's sake.
No. That would be a very inadequate way of describing what was actually a targeted supply-chain attack.
Re: Title (Score:2)
Dipshit, Notepad++ has zero affiliation with Windows, and this vulnerability was part Notepad++รข(TM)s server infrastructure.
Re: (Score:2)
Reading the whole announcement, this doesn't seem entirely correct.
> According to the former hosting provider, the shared hosting server was compromised until September 2, 2025. Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers.
I.e. it seems that this specifically redirected updater traffic, even after website was supposedly fine. Considering that website li
Re: (Score:2)
> I rather wish notepad++ author would spend more time being precise in this sort of thing that actually impacts his user base over making sweeping political statements on things and then not give any fucks about state actors he pisses off attacking his user base.
Damn straight. Software engineers aren't humans, they're not allowed to have political opinions (like wars of aggression are bad- so political), and they should just shut the fuck up and keep providing and working on their free software.
Your sense of entitlement is amusing.
Re: (Score:2)
They can have their opinions. Just don't make it an official part of the organization's stance that they're working on. Previously, they at least had the sense to carry disclaimers, like "My opinions are my own and not that of my employer"
These days, every software project has opinions, thereby turning off those who don't share them
Re: (Score:2)
> They can have their opinions. Just don't make it an official part of the organization's stance that they're working on. Previously, they at least had the sense to carry disclaimers, like "My opinions are my own and not that of my employer"
What fucking employer are you talking about? Don Ho is a guy. Who writes Notepad++. He is the organization.
This isn't some guy working for Microsoft. This is some guy's pet project software. His political opinions come with this software he writes, and gives to you to use and modify, for free.
Did you seriously not know that, or are you a fucking bot?
Re: (Score:2)
You can have all opinions you want.
But don't make them an integral part of the product. Notepad++ has had explicit political messaging within the software for a log time.
If you do that, and you don't harden infrastructure to guard your userbase against obvious retaliations like this one, you're at fault.
Re: (Score:2)
Notepad++ is free software, written by a guy named Don Ho, who has political opinions, and doesn't give a fuck if you are turned off from using that free software.
Perhaps you should ask him for a refund.
You're victim-blaming here, because I happen to know, since I can read, that you are very much opposed to them politically.
Really, you should probably consider this a risk of any auto-updating software.
Re: (Score:2)
I don't give a fuck about his political opinions, because I don't look at the contents of relevant files.
Don Ho was not a victim in this attack. His users were. He didn't get fucked by Chinese malware. People related to Uighur movement who installed or updated his software while update was hijacked were.
Don Ho was one who instigated the attack on them for internet clout. They are the ones who paid the price. He was exceedingly negligent and that likely got them exposed to a targeted Chinese intelligence ope
Re: (Score:2)
> I don't give a fuck about his political opinions, because I don't look at the contents of relevant files.
Ya, you're a liar.
> Don Ho was not a victim in this attack. His users were. He didn't get fucked by Chinese malware. People related to Uighur movement who installed or updated his software while update was hijacked were.
This is some truly stupid logic.
He was affected, and his users were affected, as a result of him being affected.
> Don Ho was one who instigated the attack on them for internet clout. They are the ones who paid the price. He was exceedingly negligent and that likely got them exposed to a targeted Chinese intelligence operation.
Do you think the author of free software has a duty to everyone who uses their software?
I'm going to reference you to the GPL, at this point.
> EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
> HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
> OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
> THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
> PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
> IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
> ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
Seriously- go fuck yourself, you entitled piece of shit.