Notepad++ hijacked by state-sponsored actors
notepad-plus-plus.org614 points by mysterydip 6 hours ago
614 points by mysterydip 6 hours ago
So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?
Anyway, I hope the author can be a bit more specific about what actually has happened to those unlucky enough to have received these malicious updates. And perhaps a tool to e.g. do a checksum of all Notepad++ files, and compare them to the ones of a verified clean install of the user's installed version, would be a start? Though I would assume these malicious updates would be clever enough to rather have dropped and executed additional files, rather than doing something with the Notepad++ binaries themselves.
And I agree with another comment here. With all those spelling mistakes that notification kind of reads like it could have been written by a state-sponsored actor. Not to be (too) paranoid here, but can we be sure that this is the actual author, and that the new version isn't the malicious one?
This reminds me of college, when some of my professors were still sorting out their curriculum and would give us homework assignments with bugs in it.
I complained many times that they were enabling my innate procrastination by proving over and over again that starting the homework early meant you would get screwed. Every time I'd wait until the people in the forum started sounding optimistic before even looking at the problem statement.
I still think I'd like to have a web of trust system where I let my friends try out software updates first before I do, and my relatives let me try them out before they do.
Ah, I remember those days. One that wasn't an error exactly was an assignment that had a word limit of 2000 words or something. I'd written maybe 3000 words and spent quite some time cutting it down, getting it to just under the limit. Then someone else who also wrote too many words asked the professor if that was okay and they sent out an update to everyone saying it's fine to ignore the word limit.
So you accidentally learned how to edit a text? Sounds like a win to me…
That's a nice positive way to view it. I would even say that was probably intended as a feature of the original assignment brief.
For windows updates r/sysadmin has people who run updates and post their experience on patch Tuesday.
> So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?
Is this surprising? My model is that keeping with the new versions is generally more dangerous than sticking with an old version, unless that old version has specific known and exploitable vulnerabilities.
Yes, it is very much atypical. Most hacks happen because admins still haven’t applied a 2 years old patch. I hate updates, but it‘s statistically safer that running an old software version. Try exposing a windows XP to the internet and watch how long it takes before it‘s hacked.
Debatable. "I connected Windows XP to the Internet; it was fine" - https://news.ycombinator.com/item?id=40528117
One comment there points out that XP is old enough for infected attack vectors to have all died out. I dunno.
https://www.tomshardware.com/software/windows/idle-windows-x...
But good we are talking about my point rather than than the example.
>I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?
Notepad++ site says The incident began from June 2025.
On their downloads page, 8.8.2 was the first update in June 2025 (the previous update 8.8.1 was released 2025-05-05)
So, if your installed version is 8.8.1 or lower, then you should be safe. Assuming that they're right about when the incident began.
edit: Notepad++ has published, on Github, SHA256 hashes of all the binaries for all download versions, which should let users check if they were targeted, if they still have the downloaded file. 8.8.1 is here, for example - https://github.com/notepad-plus-plus/notepad-plus-plus/relea...
> And perhaps a tool to e.g. do a checksum of all Notepad++ files, and compare them to the ones of a verified clean install of the user's installed version, would be a start?
Did I understand the attack wrongly? The software could have a 100% correct checksum, because the attack happened in a remote machine that deals with call home events from Notepad++, I guess one of those "Telemetry" add-ons. The attackers did a MITM to Notepad++ traffic.
The remote machine that was compromised was responsible for Notepad++ updates, so the concern is that it could cause a compromised version of the software to be installed. But if it could do that, it could probably cause anything to be installed anywhere on the user's machine, so inspecting the installed N++ binary probably wouldn't be too useful.
8.4.7 here. phew
8.5.7 here (built Sept 6, 2023)
Now I need to worry about this one. I've been anxious about vscode lately: apparently vscode extensions are a dumpster fire of compromises.
If there’s anything I’ve learned from IBM, Red Hat, and CentOS, it’s that bleeding edge is actually what I’m supposed to want.
Probably related to this: https://notepad-plus-plus.org/news/v869-about-taiwan/
Yeah, Notepad++ is known for political messaging in their updates. Taiwan, Ukraine, etc.
Probably the real motive.
“ The incident began from June 2025. Multiple independaent security researchers have assessed that the threat acotor is likely a Chinese state-sponsored group, which would explain the highly selective targeting obseved during the campaign.”
How do they know it was a Chinese group or even a state sponsored one?
By analyzing payloads / C2 address, etc...
Yeah because a state level actor would be completely incapable of false attribution.
I can't help but feel there must some better venue for such messaging.
When I see politics in software updates or documentation, nothing happens because I'm not looking to use the software for political activism. Maybe I tell my adblocker to remove the messaging, and carry on with my task.
I can engage with politics in a social context, when political messaging isn't interrupting something else I'm doing; that's a better place for activism, IMHO.
I almost always see activists using the argument that if I don't like the messaging then I'm part of the problem. Somehow I doubt that, given I don't mind messaging at all, where it's appropriate.
Similar comments also come up in the [now regular] "I don't want to see political articles on HN" threads, and I think the response is similar: Asking for "no politics" is itself a strong political view: One in support/service of whatever the current status quo is. Trying to set oneself apart from (or above) politics is itself political. If you're lucky enough to be one of the fortunate people on earth who are not under attack by political forces or who benefit from status quo politics, I'd encourage you to simply reflect on that good luck and try to ignore the "politics" that others are deeply affected by and care about.
I partially agree, but as a non-US user of the English speaking internet, the issue is with specifically US politics and social issues being everywhere. It drowns out all attempts at discourse for anything else, and Americans, including people here, seem uniquely incapable of nuance in their thinking when it comes to politics.
So, while I fully agree with your stance that banning political discourse is support for the status quo, I also think that it's reasonable to ask for it to be toned down a bit, especially when the politics and social issues of one country is basically drowning out everything else.
All that said, I'm talking mostly about HN or other community forums here. The owner of Notepad++ has the right to put whatever they want into their software, and if we're discussing that here on HN then it's an occasion where discussing politics is valid.
I am an American and I make a very conscious effort to appreciate social and political nuances. And I go out of my way to point out nuances to others who, in my opinion, oversimplify their statements. It could be argued that the expression of stereotyping Americans as lacking nuance, itself lacks nuance. I believe really most people are similar in that we have our biases, differences in context and experiences. We can all try our best to be as nuanced as possible.
What really do Americans know about Ukraine or Taiwan? E.g. can even 1% of US population show Ukraine on the world map (without using Google Maps)? Could they do it before 2022? Before 2014? Do they know anything about Ukraine or Taiwan history? How many Americans know a single foreign language?
If tomorrow there would be a war or protests in, say, Burundi. Will Americans stay with Burundi or against it? Or with the country the media will tell them is "good" because their interests align with US interests?
I think answers to all these questions are obvious.
To be fair, lack of knowledge of other countries is hardly uniquely American. As an Irish person travelling around the non western world, there's a lot of people who don't know that Ireland is a country separate to the UK, or even that it exists.
I would say it's statistics, rather than stereotyping. I'm glad you're capable of nuance though, maybe you can teach that to some of your compatriots?
I think that the stereotype of Americans lacking nuance around political issue is valid. Obviously, like all stereotypes, it’s not 100% true but Americans seem to feel obliged to pick one side of an issue, most of the time aligned with the worth of their choice, and then to view everything that’s happening through that lens.
Try to point out to a democrat that Trump is doing something right or to a Trump voter that Biden did something right. Most of them can’t accept that. The “other” side has to all bad. I don’t see this to such an extreme in other countries I know like Germany or Spain.
My personal take is this is a consequence of the two-party system. In the US you can "identify" as a democrat or republican. Once you do that, you don't _have_ to think, you can let tribalism guide you.
If in another country I vote for these guys or sometimes those other guys, and once this little party that got a seat, but not really those ones, and I really hate these ones, then your "political identity" already has a lot of nuance. In Australia with preferencial voting, a single vote has a lot of naunce.
What can you get in America? Green Party supportors who "strategically" vote for a democrat? Not much else...
The other problem is the US has two parties: one center right (and i'm being generous with center) and another rabid right.
It has been like that since forever. They don't know how a left leaning party looks.
> to such an extreme in other countries I know like Germany
could you remind me what country is the afd based out of thnx
You do prove the extreme polarized politics. For you it is AfD vs others.
In reality it is not. It is a spectrum of parties. People vote often for smaller parties in the state and larger ones in the national.
Does the existence of an alt-right WannaBeNazi party in modern Germany preclude the existance of a spectrum of views within Germany and usher in an inability of a majority of Germans to express themselves with nuance though?
By all means make a considered and thoughtful point, please.
> the issue is with specifically US politics and social issues being everywhere. It drowns out all attempts at discourse for anything else
Unfortunately, US politics also drives tech issues elsewhere like the EU. For example, local data control is a big thing that some of us have been screaming about forever but nobody paid attention to--until US politics made it a hot button issue.
And, to be honest, if the EU would get off its ass and at least try to foster some alternatives, even those of us in the US would benefit. EU alternatives would mean that people in the US could finally vote against the megajillionaires with their wallets.
> Americans, including people here, seem uniquely incapable of nuance in their thinking when it comes to politics.
Bullets and beatings don't leave much room for nuance regardless of country.
This is a good point. What would people think if there was constant political discussion here about, for instance, South Sudan and things happening there now? I'm sure there's bad stuff going on there and it's unfortunately, but if we had constant references to and discussions about the internal politics of South Sudan, I think a lot of people would get annoyed about issues that don't affect them at all in their day-to-day lives, esp. when they're coming here for discussions about technically- and computer-related topics. That must be how it seems for American political discussions.
Do you think it's socially acceptable to ignore everything that doesn't affect you personally? Many activists would certainly have you think otherwise. As far as I can tell, fighting that habit is a huge goal of activism.
That may be a huge goal of activism, but activists do not get to control what other people want to do.
Activists wanting something is not synonymous with that thing being a good idea. It just means that someone wants something out of you could be good, could be very bad. No different than a sales person trying to get you to buy something.
Yes. Activists also don’t focus on all causes, not even most. They cherry pick whatever topic is hot in that moment. Sorry, I don’t care about that when I’m browsing something about software.
When I care about politics I’ll deal with actual politics. Reddit won’t change my mind nor the world.
> Do you think it's socially acceptable to ignore everything that doesn't affect you personally?
Yes, yes, and yes again.
> Many activists would certainly have you think otherwise. As far as I can tell, fighting that habit is a huge goal of activism.
That's their problem. As soon as you start contributing to them, you will not pursue your own goals, living your own life, but those imposed by activists or their supervisors.
It's convenient for them, you give them a political resource. But why do you need it?
A huge chunk of activism is pointless and annoying. Especially when every cause is lumped together into Activism (TM) and the Omnicause.
I don’t agree with them and I don’t think they should be in my software, or dealing with anything they don’t understand (for instance crime, homeless people, geopolitics, or really anything outside of overpriced vegan coffee shops). All they really do is end up getting Fox News people to vote for fascists like Trump out of spite
> A huge chunk of activism is pointless and annoying.
Activism can be annoying, but it's never pointless (not even when it fails to be effective).
> All they really do is end up getting Fox News people to vote for fascists like Trump out of spite
It wouldn't be worthwhile for activists to resign themselves to inaction out of fear of offending the "Fox news people". "Fox news people" are already more likely than not to vote for fascists like Trump, and they'll use any excuse/justification they're being fed including "I don't like the way the wrong people are using their freedom to protest the wrong things".
People on HN are happy to talk about the internal politics of distant nations, so long as the name of the distant nation is Israel or Palestine.
best solution to this is a closing of borders and fragmentation of the internet to local regional segments. i know it sounds backwards but it seems thats where we're headed
Not wanting politics on HN, need not imply support of the status quo, or even a lack of interest in politics. It can simply be a different belief about the purpose of online forums.
I read about politics all day long in many different places. My belief that HN should be relatively free of such stories is not because I believe I can detach myself from politics, but because I believe topic based forums are more valuable and useful than “anything goes” forums.
Nah, it doesn't mean they support the status quo. It just means some political tactics are pointless, incompetent, and counterproductive.
Political opinions about how things should be don't automatically dictate the actions that should be taken in support of those opinions. I can be mad about a law or a court decision and still have the good sense to, for example, not throw red paint on a lawmaker or judge.
Some behaviors just aren't helpful, and neither being right nor being upset changes that.
Maybe, but telling people who are speaking to their audience on the platforms that audience is voluntarily visiting that they need to shut up is even more pointless, incompetent, and counterproductive.
Notepad++ is free, open source software for which there are dozens of alternative packages of equivalent quality. The entire cost of using this software and benefiting from the work of the developer, is having to scroll past or close a few political opinions.
If the reaction, if someone vehemently dislikes this sort of thing, is to tell that developer to "just shut up and make your software" rather than to stop using that software? Then I think that's possibly the most entitled and hypocritical position that I think it's possible to have.
Notepad++ maintainers can do whatever they want. I don't care. I'm just taking apart this tedious, superficial, self-serving activist cliche about how not being an activist is supporting the status quo. Some people want change just as much as activists do, but they have different ideas about when and how it's helpful to be an activist.
It's ok for you to have a different opinion. I'm sure both views are well reasoned. Neither one is "wrong".
> and still have the good sense to
The good sense is your judgement. At some point a real, direct, disruptive protest is going to be the right solution for a big enough group of people. Peaceful protests are just a "we're starting to get there" signal. It's not like politicians normally say "gee, lots of people don't like how I abuse power, I guess I'll stop now". It's all about being collectively upset enough about status quo.
It intrinsically does. Whatever stance changes nothing or prefers to change nothing is a vote for the status quo, by definition.
> Whatever stance changes nothing .. is a vote for the status quo, by definition.
As problematic as the assertion "by definition" is aside, it should be noted that endlessly commenting about politics on internet forums effectively changes nothing.
I've been kettled by mounted officers and hit by high pressure hoses on cold evenings, something that also rarely effects change .. but that's a least a fun night out with people and better than wasting bits on the intertubes.
Whether it's a waste is not entirely up to you. There are plenty of people on this forum who are completely naive and live in a bubble. The chance that a comment they see her could make a lightbulb go off is non-zero.
But if I were a nihilist I might agree with you.
No, that isn't remotely true. It means that the alternative you offer isn't compelling, not that your interlocutor likes the status quo.
We're talking about the effect of non-action. To not act against a status quo is to enable it. Your feelings don't matter in that equation.
> Similar comments also come up in the [now regular] "I don't want to see political articles on HN" threads
In the context of forums, the political threads are generally /not interesting/[0]. Political threads often devolve; they bring nothing 'new' or 'fresh' to the table, and they lead absolutely no where. It's a fart-in-the-wind situation no matter what your position is. Leave that stuff on reddit where the rest of the farts-in-the-wind go to waste. It's like watching commentators on Fox News or CNN or <insert favorite cable TV show here>. They're a large waste of time and they're often geared towards re-enforcing your side, aka echo chamber.
Now, if a thread actually evolved into real measurable action, that might actually be interesting. But that's not what happens on these forums. There's probably very few of us that see some HN thread talking about something awful happening somewhere and they take direct action, such as petitioning their government, protesting, etc. It's probably happened once or twice, but most of the farts in those threads just hang around and stink up the place.
Please stop stinking up HN.
> Asking for "no politics" is itself a strong political view
No, it explicitly is not, and this "deepity" doesn't change any rational analysis. The injection of politics into every aspect of society must and should be refused.
Fully agree, it’s akin to atheists, they very often are convinced they are not religious. Agnostics are the unreligious ones. In fact, atheists are the most fanatical zealots in my friends circle.
> One in support/service of whatever the current status quo is. Trying to set oneself apart from (or above) politics is itself political.
apparently, it's OK to have this stance of "if you're not with us, you're against us".
It's absolutely possible to not want political discussions in various places - it doesn't mean you support one or the other side. It simply means you don't want that discussion here. You could support the incumbents or not - not wanting the discussion does not imply support for the incumbents.
Not wanting politics crammed into every nook and cranny of daily life is not a "political" view of one kind or another, it's a preference for how I want to consume information and interact with people.
There is such a thing as being able to act and think in ways that aren't political in nature. Maybe not for you, but it absolutely is possible.
Way to completely and totally miss the point. I don't actually think you could've missed the point any harder than you did.
Politics are quite literally life-or-death for many people. War is politics. Access to healthcare is politics. Economic policy that determines whether businesses and careers succeed or fail is politics. Freedom to say what you want, believe or not believe in whatever religion you want, and be who you are without being imprisoned is politics. The people who make the most noise about politics are the people who are literally dying for as long as the rest of society ignores their plight.
If this isn't the case for you, it's because you benefit from the status quo. It is the definition of privilege to be able to "ignore politics". That means you are currently benefitting from politics. Of course you don't want to hear about politics, politics are doing just fine for you. And the comment you were asking to was asking you to reflect on that: if the biggest problem gracing you is hearing other people make noise about circumstances, the least you could do is deal with it. Your problems are trivial if that is what gets you upset. Other people are complaining about things that affect the outcome of their lives and you're complaining about... having to hear it.
That you seem to believe politics exists to solve people's problems is probably the reason you feel it is so important. I'm sorry that you are so profoundly confused.
Oh, you're one of those bootstrappy libertarians, I'm taking it. Everything you've ever done is by your own two merits, right? Nevermind the fact that you take society's roads and use society's technology, which are the results of politics. You drink society's water and eat society's food, which are the results of politics. You enjoy the security of not being invaded by enemy tribes nor your neighbors, which are the results of politics. "Politics" is simply a word describing how humans act in groups. Given that how we act in groups determines the entirety of our lives, there is no separating anything from politics. You seem to have taken my comment as "the government is responsible for solving people's problems", but politics are just as much about dealing with the problems it creates. When politics are going well you can ignore it; when they are going poorly they can end your life so you make a lot of noise about it to get other people to try to care. In either case, though, your life is entirely the result of political forces unless you're living in the jungle completely detached from society.
I live in a society that feeds me and rewards me for work and does a whole host of other things for me. I am grateful for all of it. Many other people are not so well served by society. This is all true. None of that has anything to do with politics.
Politics is a game. It is played with one single objective: to make sure that the people with no political power remain fighting among themselves instead of fighting those with power. If you believe some favored political faction will solve these problems you mention, then it is you who is missing the entire point.