FRESH

Hacker News

Home

Notepad++ supply chain attack breakdown

371 points by natebc

by Soerensen

2 subcomments

The WinGUp updater compromise is a textbook example of why update mechanisms are such high-value targets. Attackers get code execution on machines that specifically trust the update channel.
What's concerning is the 6-month window. Supply chain attacks are difficult to detect because the malicious code runs with full user permissions from a "trusted" source. Most endpoint protection isn't designed to flag software from a legitimate publisher's update infrastructure.
For organizations, this argues for staged rollouts and network monitoring for unexpected outbound connections from common applications. For individuals, package managers with cryptographic verification at least add another barrier - though obviously not bulletproof either.

by benterix

0 subcomment

I use Notepad++ as a Notepad replacement. I never understood why the network connectivity is enabled by default at all. The first thing I did was to disable it as the constant nagging interrupted my flow (VS Code would do the same thing BTW). I currently have a version from 2020 I'm very happy with.
If one day, maybe in 10 or 20 years time, I feel Notepad++ lacks something and I decide to upgrade, I will do it myself, I don't need a handy helper.

by ashishb

4 subcomments

I am running a lot of tools inside sandbox now for exactly this reason. The damage is confined to the directory I'm running that tool in.
There is no reason for a tool to implicitly access my mounted cloud drive directory and browser cookies data.

by pjmlp

2 subcomments

Notepad++ is one of my favourite editors, now it is forbidden by IT and checked for on security compliance checks if still installed, thanks to this attack.

by the_harpia_io

2 subcomments

This attack highlights a broader pattern: developers and users increasingly trust code they haven't personally reviewed.
Supply chain attacks work because we implicitly trust the update channel. But the same trust assumption appears in other places:
- npm/pip packages where we `npm install` without auditing - AI-generated code that gets committed after a quick glance - The growing "vibe coding" trend where entire features are scaffolded by AI
The Notepad++ case is almost a best-case scenario — it's a single binary from a known source. The attack surface multiplies when you consider modern dev workflows with hundreds of transitive dependencies, or projects where significant portions were AI-generated and only superficially reviewed.
Sandboxing helps, but the real issue is the gap between what code can do and what developers expect it to do. We need better tooling for understanding what we're actually running.

by yodon

2 subcomments

Is there a "detect infection and clean it up" app from a reputable source yet (beyond the "version 8.8.8 is bad" designator)?

by indigodaddy

2 subcomments

So if one were theoretically infected right now, would a Malwarebytes scan indicate as such?

by Someone1234

2 subcomments

I'm out of the loop: How did they bypass Notepad++'s digital signatures? I just downloaded it to double-check, and the installer is signed with a valid code-signing certificate.

by fjnrnfjfn

0 subcomment

The Notepad++ auto updater was quit bad
* Enabled by default * No use of verification of the either the update metadata nor the update payload itself
Looks like someone wanted to write an auto updater without having the knowledge to do so properly
Very sad

by troad

8 subcomments

It now seems to be best practice to simultaneously keep things updated (to avoid newly discovered vulnerabilities), but also not update them too much (to avoid supply chain attacks). Honestly not sure how I'm meant to action those at the same time.

by nightshift1

0 subcomment

Other source: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-...

by stanfordkid

0 subcomment

Shouldn't public signature of the hash of the exe file from a known key before execution fix this??? What am I missing?

by Willish42

2 subcomments

> cmd /c "whoami&&tasklist&&systeminfo&&netstat -ano" > a.txt
Naive question, but isn't this relatively safe information to expose for this level of attack? I guess the idea is to find systems vulnerable to 0-day exploits and similar based on this info? Still, that seems like a lot of effort just to get this data.

by Erlangen

1 subcomments

> Notably, the first scan of this URL on the VirusTotal platform occurred in late September, by a user from Taiwan.
Could this be the attacker? The scan happened before the hack was first exposed on the forum.

by porise

0 subcomment

I guess package managers win in the end. I got two emails from my IT department in the last year telling me to immediately update it.

by ChrisArchitect

0 subcomment

Related:
Notepad++ hijacked by state-sponsored actors
https://news.ycombinator.com/item?id=46851548

by tonymet

0 subcomment

I noticed I had version 8.9 on Dec 28, 2025 and it seems clean according to
https://arstechnica.com/security/2026/02/notepad-updater-was...
I recommend removing notepad++ and installing via winget which installs the EXE directly without the winGUP updater service.
Here's an AI summary explaining who is affected.
Affected Versions: All versions of Notepad++ released prior to version 8.8.9 are considered potentially affected if an update was initiated during the compromise window.
Compromise Window: Between June 2025 and December 2, 2025.
Specific Risk: Users running older versions that utilized the WinGUp update tool were vulnerable to being redirected to malicious servers. These servers delivered trojanized installers containing a custom backdoor dubbed Chrysalis.

by gethly

0 subcomment

I just checked, I'm on version 8.8.8. With TinyWall firewall, it has no access to the internet without my explicit say so. This is why constantly trying to be on the bleeding edge of last updates will more likely bite you in the ass than leave your system/program open to attack with some unpatched vulnerability. Look at Windows 11 updates lately. I bet most users would be gladly behind with their updates right now.

by iJohnDoe

0 subcomment

FTA - The original person posting about the unusual behavior was truly helpful.
https://community.notepad-plus-plus.org/topic/27212/autoupda...
Thankfully the responses weren’t outright dismissive, which is usually the case in these situations.
It was thought to be a local compromise and nothing to do Notepad++.
Good lessons to be learned here. Don’t be quick to dismiss things simply because it doesn’t fit what you think should be happening. That’s the whole point. It doesn’t fit, so investigate why.
Most tech support aims to prove the person wrong right out the gate.

by anonnon

0 subcomment

This is the nudge I needed to stop using VSCodium completely. (No offense to its devs, mind you, who seem to much better have their act together.)

by Panzerschrek

1 subcomments

Why a simple text editor requires auto-updates at all?

by bluenose69

5 subcomments

The article starts out by saying that Notepad++ "is a text editor popular among developers". Really?