Suspected China-state hackers used update infrastructure to deliver backdoored version.
See full article...
See full article...
Notepad++ updater was compromised for 6 months in supply-chain attack
- Thread starter JournalBot
- Start date
The hosting provider knew about the breach in September but didn't rotate & revoke secrets until December? I guess I can see why they're the ex-provider.
Upvote
256
(258
/
-2)
Would love to see a breakdown of the timeline. It seems a long time to go unnoticed and even worse how they maintained access for so long after noticing.
Anyone know who the host was so I can avoid them?
Edit: Looks like it was hostinger which tracks given my history with them too...
Anyone know who the host was so I can avoid them?
Edit: Looks like it was hostinger which tracks given my history with them too...
Last edited:
Upvote
106
(106
/
0)
So everybody who updated using the auto updater between those dates are for sure compromised or no?
Upvote
126
(126
/
0)
No seems they were targeting specific users. Can't be sure who the users were.
Upvote
113
(113
/
0)
Boy I sure hope my ISP can't intercept and modify my TLS traffic!
To be honest I don't really understand this explanation of the compromise. First they're talking about the hosting provider being compromised, then they're talking about HTTP traffic being intercepted.
Upvote
124
(124
/
0)
Makes sense. If you can limit the compromised version to a small number of targeted users (rather than millions in the general public) it's less likely the hacked version will be detected quickly.
Upvote
118
(118
/
0)
I just checked the properties of my v8.8.8 notepad++.exe . The digital signatures tab shows 'NOTEPAD++' with sha256 being signed with a Globalsign certificate that windows thinks is OK. However, there's also a 'Notepad++' (mixed case) entry with sha512 that appears to still be signed with a self-signed certificate.
I'm unfamiliar with having two different digital signatures with two different encryptions embedded in a binary. Does this match the status for anyone that's recently done a direct download/install of v8.8.8.8 as recommended in the article?
I'm unfamiliar with having two different digital signatures with two different encryptions embedded in a binary. Does this match the status for anyone that's recently done a direct download/install of v8.8.8.8 as recommended in the article?
Upvote
85
(85
/
0)
Upvote
102
(102
/
0)
I'm attempting to research this on my own, to no avail so far, but does anyone have input on whether those of us who were using ninite.com to update notepad++ would have been affected by this?
Upvote
30
(30
/
0)
I was a bit worried, but I'm running one from 2021. But that probably has other issues.
Upvote
32
(35
/
-3)
Then you are not affected. Only those who used build-in update mechanism are at risk. So millions of people, at least in theory.
Upvote
34
(34
/
0)
I guess it depends on how many years you are talking about:
https://notepad-plus-plus.org/downloads/v8.5.7/
https://www.neowin.net/software/notepad-733-fixes-vulnerability-exposed-in-wikileaks-vault-7-files/
etc
Upvote
25
(25
/
0)
No, in the blog post it states that the hosting provider ran routine kernel/system updates in September which removed the exploit being used. They weren’t aware of the hack or credentials until the NPP developer contacted them in December.
Upvote
77
(77
/
0)
Upvote
16
(17
/
-1)
Edit: seems like only a few programs can have their auto update mechanism disabled;
https://ninite.com/help/features/disableautoupdate.html
So unless I'm missing something nnite pro or not you're using notepad++ updater and thus were at risk if you were a target.
Last edited:
Upvote
9
(9
/
0)
And how were the targeted users discovered? I ask, because it's fully possible that there were many other targeted users that have never realized they were compromised, unless we have some way of knowing which users' updates got intercepted.
Upvote
36
(36
/
0)
https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9
There's a list of what to watch out for by the guy who was told about it.
Gist of it seems to be making sure gup.exe only contacted the official domains and github, and that it didn't spawn any processes.
Upvote
25
(25
/
0)
Funnily the exact reason why I've had the page open for months now, but not downloaded it yet... Didn't know how to make 100% sure this was the real deal or not!
Upvote
7
(8
/
-1)
I may be misremembering the details, and I can't look it up at the moment, but I recall there being a shift from a globalsign to a selfsigned cert at some point; something about the author wanting an org cert vs a personal one or something and MS not allowing org held certs? You might find the details on their forums somewhere; last time I installed it (Octoberish
) I did some research as I wasn't getting a high-confidence result from the install popup. I've since wiped that PC...
Upvote
10
(11
/
-1)
How much of this habit of Windows applications rolling their updaters is a by-product of Microsoft Store being so unpleasant?
Upvote
53
(60
/
-7)
In my case, I did not "disable" the auto updater, but I never used it. If I saw it prompt for an update, I would close n++ and run ninite. So, as far as I know, it never actually downloaded anything. I'm not using ninite pro, I just keep a few ninite updaters lying around and run them as needed. I think I'm safe.
Upvote
8
(8
/
0)
Rats, I used to be paranoid enough to visit the website manually upon update notifications, but had gotten lazier lately after seeing that the built-in updater worked smoothly. Guess it's back to being paranoid.
Upvote
46
(46
/
0)
I see the two posts who mentioned not updating npp got downvoted, but seriously, do we need to auto-update text editors? Seems to me that is naive to assume that constantly sucking down something new from the internet is an inevitable win, just the obviously sensible behavior.
(Or, maybe everyone else just gets really excited by the latest new text editor features?)
(Or, maybe everyone else just gets really excited by the latest new text editor features?)
Upvote
48
(57
/
-9)
I fear this will be a lot of people's take-away, which is not good security-wise.Never update, never a problem
Upvote
45
(45
/
0)
I'm not affected because I'm a lazy bastard and I've ignored the prompt to update for years!
Upvote
43
(44
/
-1)
Upvote
41
(41
/
0)
I'm not (much of) a coder. You can prise Notepad++ from my cold, dead hands.
Upvote
68
(70
/
-2)
Proof positive: I just searched for "Notepad++" and the second result says "Notepad++ Official Website..." but the domain is .com.cn.
![:\](https://cdn.arstechnica.net/civis/data/assets/smilies/slash-1x.png "Slash :\")
Upvote
70
(71
/
-1)
One of my personal symptoms of lazy bastard syndrome is that I still to this day haven't bothered to research and figure out what I need to do on a Windows machine to verify GPG signatures on downloads. That kind of seemed relevant going to grab 8.9.1 from the web site after reading these comments. Thankfully(?) the sha256 hashes can be found on the Github repo. Nowhere near as secure, of course, but it's what I know how to check.
Upvote
20
(20
/
0)
I'm not entirely clear on how you can tell if your computer has been compromised and what if anything you can do if it is.
Upvote
89
(90
/
-1)
SubWoofer2
Ars Tribunus Militum
What does an update do? To the non-tech user:
- it fixes invisible stuff that is filed under "magic happens" and stops naughty magic happening
- it adds new things that range from crap to cruft to "I needed that" and so is often a journey on the enshittification pathway with occasional serendipity, like playing a slot machine
- it adds excuses to monetise.
For small software that is loaf-of-bread "it ain't broke so don't fix it" the answer is often #s 2 and 3. So why would you want to update (the unsavvy user asks)?
You wouldn't believe the pain I have felt, trying to apply the original Snipping Tool to bind to Windows 11. My key workflows are stuffed. A great tool lies writhing dying in the dust. And I use Notepad.
Upvote
4
(13
/
-9)
Most larger companies would manage software installs using Configuration Manager / Software Center (i.e. what was formerly called SCCM). This means they wouldn't be vulnerable to an auto-updater based attack, which could perhaps help mitigate concerns about this vulnerability.
That said, there seem to be several layers of issues here (at least prior to 8.8.8), so I'd imagine most cybersecurity departments will be keeping a close eye on Notepad++ in the immediate future.
Upvote
18
(18
/
0)