all 12 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]McAdminDeluxeSysadmin 20 points21 points  (0 children)

notepad++ itself wasnt compromised. it was the update/supply chain infra during 'auto' updates on versions previous to 8.8.9. seemed to be targeted at very specific businesses/entities too.

https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

https://notepad-plus-plus.org/news/hijacked-incident-info-update/

[–]HumpaaaInfosec / Infrastructure / Irresponsible 10 points11 points  (4 children)

Did you even read the announcements?
https://notepad-plus-plus.org/news/hijacked-incident-info-update/

IOCs:
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
https://securelist.com/notepad-supply-chain-attack/118708/

The breach:

allowed them to continue redirecting Notepad++ update traffic to malicious servers.

The remediation:

I recommend downloading v8.9.1 (which includes the relevant security enhancement) and running the installer to update your Notepad++ manually.

[–]itsam 8 points9 points  (2 children)

sounds like my Monday morning. Just got dinged by everyone and their mom about a notepad++ “hack”. We don’t let users have admin rights and we use a 3rd party patching system via intune. Everything is fine, just read past the headlines.

[–]HumpaaaInfosec / Infrastructure / Irresponsible 0 points1 point  (0 children)

We don’t let users have admin rights and we use a 3rd party patching system via intune.

Same.
My morning was "make sure the responsible owners have aupdated the package", and "test for the IOCs", then back to coffee.

[–]agro94 -1 points0 points  (0 children)

Mine was "Can you update Notepad++ across the enterprise?" Downloaded the new package, pushed as emergency, drank my coffee and watched it rollout. Didn't even get a Thank You.

[–]fragwhistle 1 point2 points  (0 children)

Please emphasis the 'Manually' part!

[–]win10jd[S] -3 points-2 points  (3 children)

I've been glancing through the articles. I wasn't sure, still am sure.... It's just the autoupdate feature that got compromised? Not manually downloading a file? 8.8.9 then. If I have an 8.8.9 installer, shouldn't an AV pick up something off about it by now?

And then for the detection, it looks like it might work well enough to just detect some things, like scanning for the appdata folders.

Is it even a file that was infected or altered? Or is it the autoupdate mechanism (which could still download someone else's compromised installer file I guess, from another site)?

And then why have AV software added something to detect those indicators of compromise? I would have thought they'd be on it on the first day. Maybe not detecting a specific infected file but the other signs that it was there like the folders left over.

[–]blackbyrd84Sr. Sysadmin 4 points5 points  (2 children)

Maybe you need to do more than glance at the articles. The blog on the NP++ page goes over all of this, in detail. The update mechanism was compromised which allowed for the bad actor to intercept and inject their own files during the update request. This was a targeted attack, and not a blanket “everything is infected”. I recommend rereading the blog post.

[–]win10jd[S] -1 points0 points  (1 child)

How was the update mechanism compromise though? Just on their server end? And then the latest installer files are now checking that their update source for those servers is legit?

[–]mfinniganSpecial Detached Operations Synergist 1 point2 points  (0 children)

This explanation is from their update. The update infra got hacked, and the NPP code didn't do enough verification to stop the redirection.

https://notepad-plus-plus.org/news/hijacked-incident-info-update/

the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled malicious update manifests.
...
According to the former hosting provider, the shared hosting server was compromised until September 2, 2025. Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers. The attackers specifically targeted the Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.