So that’s what the second plus includes….
I would like to know starting from wich version should i be concerned. I haven’t updated in a while i think.
The timeline says the attack started in June of 2025 and continued through Dec 2, 2025. If you installed, updated, or silently updated during that period you may have been targeted / compromised.
What was the latest version before June 2025?
Every version before the previous one.
If you haven’t updated you were not vulnerable to the update hijacking.
Yikes… i guess i am confused though. What data was being sent through this channel? What did they get from people while it happened and why did it take 2 months past them stopping it to finally make a release? I love the app, but this sounds really bad.
The previous release already fixed this, or evaded the issue.
The channel was the update mechanism. Upon Notepad++ checking for updates, they were able to inject their own. So if you updated via the apps own update checker they could have misdirected you into installing something else or something modified.
From my understanding: Basically the attackers could reply to your version check request (usually done automatically) and tell N++ that there were a new version available. If you then approved the update dialogue, N++ would download and execute the binary from the update link that the server sent you. But this didn’t necessarily need to be a real update, it could have been any binary since neither the answer to the update check nor the download link were verified by N++
Thats what i was thinking, but there is no mention on if this did happen and if it did what was compromised or allowed to happen.
How would n++ devs know?
Expanding on this: the exploit was against their domain name, redirecting selected update requests away from the notepad++ servers. The software itself didn’t validate that the domain actually points to notepad++ servers, and the notepad++ update servers would not see any information that would tell them what was happening.
Likely they picked some specific developers with a known public IP, and only used this to inject those specific people with malware.
So the solution would have been an SSL certificate check on the client side.
That’s what they say they rolled out, after: “Within Notepad++ itself, WinGup (the updater) was enhanced in v8.8.9 to verify both the certificate and the signature of the downloaded installer”
Can’t tell if that would have helped
which could have allowed the malicious actors to redirect some of the traffic going to https://notepad-plus-plus.org/getDownloadUrl.php to their own servers
They could have just piped the binaries though the same server since they had this level of access. They would have had months to figure it out.
Oof, I thought it was just a DNS hijack. If they had access to the server, it’s game over regardless.
Oof. Kudos to Notepad++ for being up front with the details.
So what malware got shipped?
So should we at least uninstall our current Notepad++ and then download a new version? What else should we do, the post really doesn’t offer any advice.
Yes, that’s the safe way. Uninstall, download current version, install. That’s it.
Outside of being compromised already where you would have to notice and fix outside of notepad anyway. But that seems unlikely given the selective attack nature the hoster was able to confirm. If you’d want to cover that you would have to know and do a lot more.
In the old post from when the update was released a Heise article is linked, that contains indicators of compromise, and in turn links to Kevin Beaumont for the details of his analysis:
https://lemmy.zip/post/54712916
https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9I would just follow their advice, download the newest version from their site directly and use the new versions installer to update manually. I would probably do the same thing when the newest version with certificate and signature verification releases, after that I would assume you should be good to go. However its probably also worth scanning your system for malware just incase you updated during the time frame the attack was live.
I don’t think you’ll need to uninstall. If I’m reading the article correctly, it looks like they plugged the hole in their update process by switching hosting providers to one that’s even more hardened and secure. So requests from the updater should go to the correct place now and not the state-sponsored hacker.
Then in about a month, the next version of notepad++ that is released will also properly validate/verify any downloaded update files from the server.
You could also just disable the checks for updates from within the application too. Or better yet, use something like winget to handle the updates instead of the built-in updater.
The article literally states that should you download the latest version from their site directly and then use the installer to update manually. Who knows if those who were effected already could have something else compromising the update/install process. I wouldnt update from the built in updater until the new fix with certificate and signature verification is released.
china isn’t a state they’re a different country and do not belong to the united mexican states.
Son unos puros sonorenses de Mexicali que se les dio por expandir el negocio y se hicieron globales
i don’t speak german. sorry. :(
Ich auch nicht aber doch!
I don’t speak cantonese, either.
There were a lot of typos in the linked announcement.
If it was important and true, they would’ve spell-checked.
