Notepad++ supply chain attack breakdown (securelist.com)
144 points by natebc 2 hours ago
Soerensen an hour ago
The WinGUp updater compromise is a textbook example of why update mechanisms are such high-value targets. Attackers get code execution on machines that specifically trust the update channel.
What's concerning is the 6-month window. Supply chain attacks are difficult to detect because the malicious code runs with full user permissions from a "trusted" source. Most endpoint protection isn't designed to flag software from a legitimate publisher's update infrastructure.
For organizations, this argues for staged rollouts and network monitoring for unexpected outbound connections from common applications. For individuals, package managers with cryptographic verification at least add another barrier - though obviously not bulletproof either.
yodon 3 minutes ago
Is there a "detect infection and clean it up" app from a reputable source yet (beyond the "version 8.8.8 is bad" designator)?
ashishb an hour ago
I am running a lot of tools inside sandbox now for exactly this reason. The damage is confined to the directory I'm running that tool in.
There is no reason for a tool to implicitly access my mounted cloud drive directory and browser cookies data.
troad an hour ago
MacOS has been getting a lot of flak recently for (correct) UI reasons, but I honestly feel like they're the closest to the money with granular app permissions.
Linux people are very resistant to this, but the future is going to be sandboxed iOS style apps. Not because OS vendors want to control what apps do, but because users do. If the FOSS community continues to ignore proper security sandboxing and distribution of end user applications, then it will just end up entirely centralised in one of the big tech companies, as it already is on iOS and macOS by Apple.
black_knight an hour ago
I think we could get a lot further if we implement proper capability based security. Meaning that the authority to perform actions follows the objects around. I think that is how we get powerful tools and freedom, but still address the security issues and actually achieve the principle of least privilege.
For FreeBSD there is capsicum, but it seems a bit inflexible to me. Would love to see more experiments on Linux and the BSDs for this.
h4x0rr 16 minutes ago
ashishb an hour ago
It also has persistent permissions.
Think about it from a real world perspective.
I knock on your door. You invite me to sit with you in your living room. I can't easily sneak into your bed room. Further, your temporary access ends as soon as you exit my house.
The same should happen with apps.
When I run 'notepad dir1/file1.txt', the package should not sneakily be able to access dir2. Further, as soon as I exit the process, the permission to access dir1 should end as well.
lifeisgood99 27 minutes ago
symaxian an hour ago
Sand-boxing such as in Snap and Flatpak?
troad an hour ago
nextos an hour ago
jacobgkau an hour ago
> getting a lot of slack recently
I think you mean a lot of flak? Slack would kind of be the opposite.
troad an hour ago
its_magic an hour ago
I'm sure that will contribute to the illusion of security, but in reality the system is thoroughly backdoored on every level from the CPU on up, and everyone knows it.
There is no such thing as computer security, in general, at this point in history.
ashishb an hour ago
rectang an hour ago
taftster an hour ago
I almost feel like this should just be the default action for all applications. I don't need them to escape out of a defined root. It's almost like your documents and application are effectively locked together. You have to give permissions for an app to extra data from outside of the sandbox.
Linux has this capability, of course. And it seems like MacOS prompts me a lot for "such and such application wants to access this or that". But I think it could be a lot more fine-grained, personally.
josephg an hour ago
I've been arguing for this for years. There's no reason every random binary should have unfettered, invisible access to everything on my computer as if it were me.
iOS and Android both implement these security policies correctly. Why can't desktop operating systems?
giobox an hour ago
marky1991 an hour ago
IcyWindows 19 minutes ago
Someone1234 an hour ago
I'm out of the loop: How did they bypass Notepad++'s digital signatures? I just downloaded it to double-check, and the installer is signed with a valid code-signing certificate.
Avicebron an hour ago
gruez an hour ago
The updater doesn't check the certificate of the updated installer, it just executes whatever.
Erlangen an hour ago
> Notably, the first scan of this URL on the VirusTotal platform occurred in late September, by a user from Taiwan.
Could this be the attacker? The scan happened before the hack was first exposed on the forum.
gruez an hour ago
You would be a dumbass to do that, because virustotal allows security researchers to see submitted samples/urls. The last thing you want to do is to draw attention to your C&C server.
Willish42 an hour ago
> cmd /c "whoami&&tasklist&&systeminfo&&netstat -ano" > a.txt
Naive question, but isn't this relatively safe information to expose for this level of attack? I guess the idea is to find systems vulnerable to 0-day exploits and similar based on this info? Still, that seems like a lot of effort just to get this data.
gruez an hour ago
>I guess the idea is to find systems vulnerable to 0-day exploits and similar based on this info?
You don't need 0days when you already have RCE on an unsandboxed system.
thatfunkymunki an hour ago
it's not "just to get that data", it's to confirm level of access, check for potential other exploiters or security software, identify the machine you have access to, identify what the machine has network connectivity to, etc. The attacker then maintains the c2 channel and can then perform their actual objective with the help of the data they have obtained.
troad 2 hours ago
It now seems to be best practice to simultaneously keep things updated (to avoid newly discovered vulnerabilities), but also not update them too much (to avoid supply chain attacks). Honestly not sure how I'm meant to action those at the same time.
Marsymars 41 minutes ago
The easiest way to action as a user seems like it would be to use local package managers that includes something like Dependabot's cooldown config. I'm not aware of any local package managers that do something like this?
https://docs.github.com/en/code-security/reference/supply-ch...
gruez an hour ago
You basically need to make a trade-off between 0days and supply chain attacks. Browsers, office suite, media players, archivers, and other programs that are connected to the internet and are handling complex file formats? Update regularly, or at least keep an eye out for CVEs. A text editor, or any other program that doesn't deal with risky data? You're probably fine with auto update turned off
_carbyau_ an hour ago
I imagine that it depends on the use case.
Using notepad++ (or whatever other program) in a manner that deals with internet content a lot - then updating is the thing.
Using these tools in a trusted space (local files/network only) : then don't update unless it needs to be different to do what you want.
For many people, something in between because new files/network-tech comes and goes from the internet. So, update occasionally...
gruez an hour ago
>Using notepad++ (or whatever other program) in a manner that deals with internet content a lot - then updating is the thing.
Disagree. It's hard to screw up a text editor so much that you have buffer overflows 10 years after it's released, so it's probably safe. It's not impossible, but based on a quick search (though incomplete because google is filled with articles describing this incident) it doesn't look like there were any vulnerabilities that could be exploited by arbitrary input files. The most was some dubious vulnerability around being able to plant plugins.
taftster an hour ago
In the early days, updates quite often made systems less stable, by a demonstrable margin. My dad once turned off all updates on his Windows machine, with the ensuing peril that you can imagine.
Sadly, it feels like Microsoft updates lately have trended back towards being unreliable and even user hostile. It's messed up if you update and can't boot your machine afterwards, but here we are. People are going to turn off automatic updates again.
TingPing an hour ago
I feel like supply chain attacks are the much rarer situation than real world exploits but I don’t have numbers.
krater23 an hour ago
Supply chain attacks have impact on more systems, so it's more likely that your system is one of it. Opening a poisoned textfile that contains a exploit that attacks your text editor and fits exactly to your version is a rare event compared to automatically contacting a server to ask for a executable to execute without asking you.
GauntletWizard an hour ago
Unless there's an announcement of a zero day, update a month after each new release. Keeps you on a recent version while giving security systems and researchers time to detect threats.
worksonmine an hour ago
Debian stable. If you need something to be on the bleeding edge install it from backports or build from source. But keep most of your system boring and stable. It has worked fine for me for years.
krater23 an hour ago
As long as you do regulary updates of your debian stable, you are not secured against supply chain attacks.
worksonmine an hour ago
porise an hour ago
I guess package managers win in the end. I got two emails from my IT department in the last year telling me to immediately update it.
tonymet an hour ago
I noticed I had version 8.9 on Dec 28, 2025 and it seems clean according to
https://arstechnica.com/security/2026/02/notepad-updater-was...
I recommend removing notepad++ and installing via winget which installs the EXE directly without the winGUP updater service.
Here's an AI summary explaining who is affected.
Affected Versions: All versions of Notepad++ released prior to version 8.8.9 are considered potentially affected if an update was initiated during the compromise window.
Compromise Window: Between June 2025 and December 2, 2025.
Specific Risk: Users running older versions that utilized the WinGUp update tool were vulnerable to being redirected to malicious servers. These servers delivered trojanized installers containing a custom backdoor dubbed Chrysalis.
bluenose69 an hour ago
The article starts out by saying that Notepad++ "is a text editor popular among developers". Really?
TingPing an hour ago
Literally yes: https://survey.stackoverflow.co/2025/
da_chicken an hour ago
This might be a better link: https://survey.stackoverflow.co/2025/technology#1-dev-id-es
It's listed as the third most popular IDE after Visual Studio Code and Visual Studio by respondents to Stack Overflow's annual survey. Interestingly, it's higher among professionals than learners. Maybe that's because learners are going to be using some of those newer AI-adjacent editors, or because learners are less likely to be using Windows at all.
I'm sure people will leap to the defense of their chosen text editor, like they always do. "Oh, they separated vim and Neovim! Those are basically the same! I can combine those, really, to get a better score!" But I think a better takeaway is that it's incredible that Notepad++, an open source application exclusive to Windows that has had, basically, a single developer over the course of 22 years, has managed to reach such a widespread audience. Especially when Scintilla's other related editors (SciTE, EditPlus) essentially don't rate.
gruez 37 minutes ago
billforsternz 24 minutes ago
I enjoy coding something new up in Notepad++, without any annoying autocomplete and jank. I call it unplugged (acoustic?) mode. Jeepers Visual Studio these days starts autocompleting if and while for example and sometimes doesn't respect normal keystrokes because it expects me to complete these kind of interactions instead.
kotaKat an hour ago
First three things I install on any machine - 7zip, Notepad++, alternate browser.
kbelder 32 minutes ago
Same, but additionally Irfanview. And once upon a time, Media Player Classic used to be on that list.
This train of thought made me go find https://www.oldversion.com/. For a while, that was invaluable.
LostMyWords an hour ago
Yes, but I start with the browser. What are the Notepad++ alternatives on Linux and MacOS, for those times when I have to use them?
dizhn 34 minutes ago
paffdragon 7 minutes ago
GuinansEyebrows an hour ago
maxpert an hour ago
LOL I guess the editors using Notepad++ downvoted you :P